'Alexa vs. Alexa:' Hackers Can Trick Amazon Echo Devices into Hacking Themselves

Researchers have discovered that Amazon Echo smart speakers can be tricked into unlocking doors, making phone calls, and purchasing items via self-issued commands. In short, the devices hack themselves through an attack nicknamed “Alexa vs. Alexa.”

Ars Technica reports that researchers have developed a new method to take control of Amazon Echo smart speakers. The attack uses the device’s speaker to issue voice commands that can perform a number of actions such as unlocking doors, making phone calls, purchasing items, and controlling smart appliances.

Amazon Echo (AP)

A man surfs

The attack includes forcing the speaker to issue a “device wake word” like “Alexa” or “Echo,” sometimes via a hijacked radio station broadcast through the speaker. The vulnerability was discovered by researchers from Royal Holloway University in London and Italy’s University of Catania.

The researchers have dubbed the vulnerability “AvA” for “Alexa vs. Alexa.” The attack requires only a few seconds of a hacker being in close proximity to the Echo device. The hacker can then state a voice command connecting the Echo to the hacker’s Bluetooth-enabled device. Once this device is within radio range of the Echo, the attacker can issue commands.

Researchers wrote in a paper that the attack “is the first to exploit the vulnerability of self-issuing arbitrary commands on Echo devices, allowing an attacker to control them for a prolonged amount of time.” The paper added: “With this work, we remove the necessity of having an external speaker near the target device, increasing the overall likelihood of the attack.”

Another variation of the attack used a hijacked radio station to generate the self-issued commands, but this attack appears to have been patched by Amazon. A demo of the hack can be seen below:

‘Alexa vs. Alexa:’ Hackers Can Trick Amazon Echo Devices into Hacking Themselves

COMMENTS