Alexa versus Alexa (AvA) is a new attack that exploits audio files containing voice commands and audio playback methods offensively to gain control of Amazon Echo devices for an indeterminate period of time. Through this vulnerability, Amazon Alexa devices could start playing audio broadcast by a remote attacker. Therefore, the suspicion that they can take control of smart speakers with Alexa integrated and listen to us becomes real.
According to security researchers at Royal Holloway, University of London, this is a patched vulnerability where a malicious person could access a smart speaker and transmit commands to themselves or other nearby Alexa-enabled speakers. This would allow it to eavesdrop on users, make unwanted purchases, and even manipulate linked calendars.
This is how Alexa attacks Alexa versus Alexa (AvA)
RHUL researchers Sergio Esposito and Daniele Sgandurra, in collaboration with Giampaolo Bella from the University of Catania in Italy, have been the discoverers of this vulnerability that they describe as “a command issue vulnerability”.
“Echo device self-activation occurs when an audio file played by the device itself contains a voice command, ” the researchers said in this article . They claim that Ava affects third and fourth generation Echo Dot smart speakers.
Triggering the attack is as simple as using an Alexa-enabled device to start playing self-created audio files. The researchers suggest they could be hosted by an Internet radio station that can sync with the Amazon Echo. “With AvA, an attacker can self-issue any permitted command to Echo, controlling it on behalf of the legitimate user.”
It does it through Alexa Skills
Alexa Skills add extra functionality to the Amazon smart speaker. The Echo speakers already have a series of Skills pre-installed, but we can also install more from the store and even create our own Skill with Alexa thanks to Blueprints. With them you can listen to music, play, order food at home, etc. To execute the attack requires the exploitation of the Skills. Next, you can see what the AvA technique consists of.
Alexa vs. Alexa Attack
This is a novel method of taking control of a person’s Echo speaker. “An attacker could then use this listening function to set up a social engineering scenario where the skill pretends to be Alexa and responds to user statements as if it were Alexa,” vulnerability researcher Sergio Esposito told The Register.
Amazon has already patched most of the vulnerabilities, except for one in which a Bluetooth-paired device was able to play audio files created through a vulnerable Amazon Echo speaker, Esposito confirmed. A vulnerability tracked as CVE-2022-25809 which has been assigned a Medium severity level .
An entry in the US National Vulnerability Database described it as an “improper disablement of audio output” and said it affected “third- and fourth-generation Amazon Echo Dot devices,” allowing “arbitrary execution of voice commands on these devices via a malicious skill (in the case of remote attackers) or by pairing a malicious Bluetooth device (in the case of physically nearby attackers), also known as an “Alexa vs. Alexa (AvA)” attack .
