Alexa versus Alexa (AvA) is the offensive act of self-issuing arbitrary voice commands on an Echo device, that is, using the device speaker to issue commands to the device itself. Using AvA, an attacker can control victim Echo devices leveraging common audio reproduction methods, such as a radio station that acts like a C&C server, or making Echo Dot act as a speaker for a nearby device via Bluetooth. AvA starts when the Echo device connects to one of these attack vectors. From time to time, the chosen attack vector streams over the Echo device voice commands that exploit the possibility to self-trigger it. These commands are chosen by the attacker and can be generated via any Text-to-Speech solution, or by any solution capable of generating adversarial commands which work against Alexa over-the-air, although with a lower success rate.
The video shows AvA exploiting the self-issue vulnerability to give the "Echo, what time is it?" command generated with Google TTS, by means of a nearby device connected via Bluetooth to the 3rd Generation Echo Dot. Notice how the volume turns down when Echo recognizes the wakeword. Subsequently, the video shows the exploit of a vulnerability, which we call the Full Volume Vulnerability (FVV), by self-issuing the "Echo, turn off" command. Immediately after, the attacker issues the longer command "Echo, what is the weather like in New York?". Notice how the volume is not turned down anymore, because the attacker exploited the FVV.
March 2020 Research on AvA starts!
21st January 2021 We start the responsible disclosure process by reporting all found undesirable behaviours and potential vulnerabilities to Amazon, via their Vulnerability Research Program. Our report includes the self-issue vulnerability, the Full Volume vulnerability and the possibility to chain multiple break SSML tags within a skill response, a behaviour that could lead to realistic VMA scenarios.
2nd February 2021 First response from Amazon.
4th February 2021 After a first review of the report, Amazon does not object to our decision to submit our research paper to venues for publication.
18th February 2021 Our research team engages in a videoconference with Amazon to further explain details of the found vulnerabilities.
8th April 2021 Our report is assigned Medium severity by the Amazon Team.
18th October 2021 AvA is accepted to the ASIACCS 2022 conference!
19th October 2021 Our research team contacts Amazon to inform them that our research paper will appear within the conference's proceedings. We also ask for permission to publish a pre-print version of the paper, publish this website and have a press release.
20th October 2021 Amazon requests disclosure materials for review prior to publishing ahead of conference, in line with responsible disclosure.
21st January 2022 Amazon requests edits to disclosure materials based on facts of the potential issue.
29th January 2022 Agreed deadline for the disclosure.
17th February 2022 Vulnerability is disclosed via publication of a pre-print paper on ArXiv.
23rd February 2022 The self-issue vulnerability on Amazon Echo devices gets a CVE Entry.
28th February 2022 Video demonstration of AvA is uploaded on Youtube. This website goes live.
AvA was reported by Sergio Esposito (Royal Holloway University of London), Daniele Sgandurra (Former Royal Holloway University of London) and Giampaolo Bella (Università degli Studi di Catania). The paper will be published on the 17th ACM ASIA Conference on Computer and Communications Security (ACM ASIACCS 2022)'s proceedings.
Associate Professor (with Italian MIUR habilitation as Full Professor) at Università degli Studi di Catania
Africa’s first cybersecurity declaration. Also, researchers get Alexa to hack itself, plus a new AR Notre Dame exhibition of Paris.
Your Alexa can hack ITSELF! NEW research.
Attackers can force Amazon Echos to hack themselves with self-issued commands.
Amazon Alexa can be hijacked via commands from own speaker.
Logo art by Giulia Coco