Novel Attack Turns Amazon Devices Against Themselves

2022-03-07 21:30

Researchers from the University of London and the University of Catania have discovered how to weaponize Amazon Echo devices to hack themselves.

Smart speakers lay dormant during the day, waiting for a user to vocalize a particular activation phrase: i.e., "Hey, Google," "Hey, Cortana" or, for the Amazon Echo, "Alexa," or simply, "Echo." Usually, of course, it's the device's owner who issues such commands.

This physical impediment is balanced by the fact that, as the researchers noted, "Once paired, the Bluetooth device can connect and disconnect from Echo without any need to perform the pairing process again. Therefore, the actual attack may happen several days after the pairing."

This method "Works remotely and can be used to control multiple devices at once," but would required extra steps, including tricking the targeted user into downloading a malicious Alexa "Skill" to an Amazon device.

Using the Alexa vs. Alexa attack, attackers could tamper with applications downloaded to the device, make phone calls, place orders on Amazon, eavesdrop on users, control other connected appliances in a user's home and more.

The latest, patched version of Alexa device software can be found here.

News URL

https://threatpost.com/attack-amazon-devices-against-themselves/178797/

#amazon #attack

Related vendor

VENDOR	LAST 12M	#/PRODUCTS	LOW	MEDIUM	HIGH	CRITICAL	TOTAL VULNS
Amazon		64	9	60	39	13	121