You know those virtual ‘friends’ you have at home? That one you call ‘Alexa’. Well, like those other friends who enjoy tik, it may not be a good idea to allow them into your home. Academic researchers at Royal Holloway University in London and Italy’s University of Catania have found a working exploit that allows pranksters (or people up to no good) to commandeer your Amazon device and use it to issue commands to itself. Researchers have called this exploit “AvA” for Alexa versus Alexa, because it’s pitting the device against itself.
This attack isn’t even very sophisticated. It uses the Amazon Echo speaker to play audio which, if it contains the wake word ‘Alexa’ or ‘Echo’ and a suitable command, will follow through with the action or task. That’s even if the task or action requires affirmation from the issuer. Simply adding a ‘yes’ six seconds after the command is good enough for Alexa.
Be on the lookout for anyone talking to your microwave
All a would-be attacker needs is enough proximity to a vulnerable device while it’s turned on to instruct it to connect to their malicious device, and they’re in. Previously, a different variation of the attack used a malicious radio station to issue commands to the device. Those have since been patched by Amazon in response to the research.
Don’t believe us? Here’s a video showing just how easy it is.
Now before you start flinging your Amazon Echo against the wall or out an open window, it should be simple enough to avoid if you mute the device’s microphone when it’s not in use. If you do that, and if the microphone is only unmuted when you’re nearby, then you should be able to hear when the device issues itself a command and act appropriately.
By that, we mean unplugging it. We don’t think you’ll successfully make a warranty claim if you yeet it into a wall. And if it starts acting like the one in the video, yanking the plug out for a quick reset as a last resort might be a cunning plan.
Source: Ars Technica
