Alexa Versus Alexa Tricks Voice Assistants Into Running Malicious Commands From Their Own Speakers

Researchers from the University of London and the Università degli Studi di Catania have published a paper showcasing a new class of attacks against voice-activated assistant systems, dubbed Alexa versus Alexa and triggered by having the device self-issue voice commands.

"Alexa versus Alexa [is] a novel attack that leverages audio files containing voice commands and audio reproduction methods in an offensive fashion, to gain control of Amazon Echo devices for a prolonged amount of time," the team explains of its work. "AvA leverages the fact that Alexa running on an Echo device correctly interprets voice commands originated from audio files even when they are played by the device itself – i.e., it leverages a command self-issue vulnerability."

The idea behind the attack, which the researchers term "AvA" for short: Having a target Alexa device play back attacker-controlled audio, either as a radio station or from a connected Bluetooth device, and then interpret the audio — generated from a text-to-speech system — as vocal commands.

"The adversary sends a command which is self-issued by the Echo device and interpreted by AVS [Alexa Voice Service]," the team writes of the attack flow. "If an external skill is requested by the command, AVS communicates with the related server, then it sends back the reply to Echo. As a result, the attacker can perform any action on the VPA (e.g. make phone calls, set alarms), on any skill (e.g., buy items), or they can control other smart appliances in the household (e.g., lights and door-locks)."

In the process of testing the attack, the team also found two other vulnerabilities: One allows an attacker to send a wake-word and command without the usual effect of Alexa reducing the volume of currently-playing audio for the duration of recognition, making it less likely anyone will notice the attack; the other allowing Skills to remain silent for more than an hour rather than the default eight seconds — opening the platform up to attacks where a malicious skill can perform eavesdropping attacks on instructions meant for Alexa itself.

The attacks aren't necessarily straightforward, however. The team tested three different mounting positions for Echo Dot devices and found that the presence or absence of surfaces from which audio could bounce affected the reliability of self-triggered commands; it also requires the attacker to have direct access to the target device away from observation, in order to set up the initial Bluetooth connection.

Nevertheless, the team has advice for countermeasures that could be introduced to defend against the attacks — in particular adding the ability for voice assistants to automatically ignore commands coming from their own speakers, offering a liveness-detection feature, or automatic speaker verification through voice training.

"Although there is no evidence that anyone has exploited this vulnerability on Amazon Echo devices with malicious intent," says security expert Graham Cluley in an analysis of the paper for Bitdefender, "its clear that the technology giant would be wise to put countermeasures in place — such as ignoring any commands that the device itself has spoken out loud."

The team's work is available under open-access terms on the arXiv preprint server.