Alexa versus Alexa: Controlling Smart Speakers by Self-Issuing Voice Commands

We present Alexa versus Alexa (AvA), a novel attack that leverages audiofiles containing voice commands and audio reproduction methods in an offensivefashion, to gain control of Amazon Echo devices for a prolonged amount of time.AvA leverages the fact that Alexa running on an Echo device correctlyinterprets voice commands originated from audio files even when they are playedby the device itself -- i.e., it leverages a command self-issue vulnerability.Hence, AvA removes the necessity of having a rogue speaker in proximity of thevictim's Echo, a constraint that many attacks share. With AvA, an attacker canself-issue any permissible command to Echo, controlling it on behalf of thelegitimate user. We have verified that, via AvA, attackers can control smartappliances within the household, buy unwanted items, tamper linked calendarsand eavesdrop on the user. We also discovered two additional Echovulnerabilities, which we call Full Volume and Break Tag Chain. The Full Volumeincreases the self-issue command recognition rate, by doubling it on average,hence allowing attackers to perform additional self-issue commands. Break TagChain increases the time a skill can run without user interaction, from eightseconds to more than one hour, hence enabling attackers to setup realisticsocial engineering scenarios. By exploiting these vulnerabilities, theadversary can self-issue commands that are correctly executed 99% of the timesand can keep control of the device for a prolonged amount of time. We reportedthese vulnerabilities to Amazon via their vulnerability research program, whorated them with a Medium severity score. Finally, to assess limitations of AvAon a larger scale, we provide the results of a survey performed on a studygroup of 18 users, and we show that most of the limitations against AvA arehardly used in practice.