The Insecurity of Home Digital Voice Assistants - Amazon Alexa as a Case Study

by   Xinyu Lei, et al.

Home Digital Voice Assistants (HDVAs) are getting popular in recent years. Users can control smart devices and get living assistance through those HDVAs (e.g., Amazon Alexa, Google Home) using voice. In this work, we study the insecurity of HDVA service by using Amazon Alexa as a case study. We disclose three security vulnerabilities which root in the insecure access control of Alexa services. We then exploit them to devise two proof-of-concept attacks, home burglary and fake order, where the adversary can remotely command the victim's Alexa device to open a door or place an order from The insecure access control is that the Alexa device not only relies on a single-factor authentication but also takes voice commands even if no people are around. We thus argue that HDVAs should have another authentication factor, a physical presence based access control; that is, they can accept voice commands only when any person is detected nearby. To this end, we devise a Virtual Security Button (VSButton), which leverages the WiFi technology to detect indoor human motions. Once any indoor human motion is detected, the Alexa device is enabled to accept voice commands. Our evaluation results show that it can effectively differentiate indoor motions from the cases of no motion and outdoor motions in both the laboratory and real world settings.


page 8

page 11


Implementation of Google Assistant Amazon Alexa on Raspberry Pi

This paper investigates the implementation of voice-enabled Google Assis...

"Are you home alone?" "Yes" Disclosing Security and Privacy Vulnerabilities in Alexa Skills

The home voice assistants such as Amazon Alexa have become increasingly ...

The Untold Secrets of Operational Wi-Fi Calling Services: Vulnerabilities, Attacks, and Countermeasures

Since 2016, all of four major U.S. operators have rolled out nationwide ...

Inferring Facing Direction from Voice Signals

Consider a home or office where multiple devices are running voice assis...

Alexa versus Alexa: Controlling Smart Speakers by Self-Issuing Voice Commands

We present Alexa versus Alexa (AvA), a novel attack that leverages audio...

Fingerprinting Encrypted Voice Traffic on Smart Speakers with Deep Learning

This paper investigates the privacy leakage of smart speakers under an e...

Open, Sesame! Introducing Access Control to Voice Services

Personal voice assistants (VAs) are shown to be vulnerable against recor...

Please sign up or login with your details

Forgot password? Click here to reset