Alexa Can Be Made to Hack Itself
A team of academic researchers from London’s Royal Holloway University and Italy’s University of Catania have confirmed that Alexa will follow its own commands, as long as those commands start with the speaker’s wake word. (Echo users currently have the choice whether their device listens for “Alexa” or “Echo.”) In an unfortunate phenomenon dubbed “Alexa vs. Alexa,” or AvA, Echo users and hackers alike can take advantage of Alexa’s full voice vulnerability (FVV) to force the device to make self-issued commands without adjusting for volume as it normally would. Alexa then hears and executes the command as if it had been given by an actual person.
This is an easy vulnerability to exploit. The researchers found that bad actors need only a few seconds within close proximity of an active Echo device to issue a voice command that pairs it with their own device, allowing the bad actor to control Alexa using text-to-speech as long as they’re within radio range of each other. This is possible with both 3rd- and 4th-generation Echo Dot devices.
Thanks to how interconnected smart speakers are with various facets of our personal lives (after all, that’s kind of the point), a hacker who’s gained control of someone’s Echo device is capable of meddling with everything from the victim’s productivity tools and finances to the other devices in their home. Tests found that hackers could “control smart lights with a 93 percent success rate, successfully buy unwanted items on Amazon 100 percent of the time, and tamper [with] a linked calendar with 88 percent success rate.” If a command needed confirmation in order to proceed, all the hacker needed to do was include “yes” in their command about six seconds after their initial statement. Even “skills” could be impersonated, allowing the hacker to obtain the device owner’s personal data and passwords.
The authors of the research paper have reported these gaps and provided possible countermeasures to Amazon’s Vulnerability Research Program, which rated them with a medium severity score and stated it is working toward a solution.
Continue reading
SpaceX Starship SN11 Blows Itself Apart During High-Altitude Test
Musk quipped on Twitter that at least the crater was in the right place. Say what you will about Elon Musk, he's pretty unflappable, even when his most ambitious aerospace project struggles to get off the ground.
Intel Reverses Itself, Says All Skylake-X CPUs Have 2 AVX-512 Units
Intel has clarified a misreported item on its own CPUs. Lower end Skylake-X CPUs have more AVX-512 performance available than we were told.
CTS Labs Responds to Allegations of Bad Faith Over AMD CPU Security Disclosures, Digs Itself a Deeper Hole
CTS Labs CTO has written a letter addressing and defending his company's disclosure of various vulnerabilities in AMD's Ryzen CPU and chipsets, but his explanation raises more questions than it answers.
Report: Essential Cancels Second Phone, May Put Itself Up for Sale
According to sources inside the company, discussions are focused on unloading the entire firm along with its patent portfolio.