A Survey on Amazon Alexa Attack Surfaces

The home environment is the most common setting for the Alexa voice assistant. With modern security measures, Alexa is able to prevent most noise pollution within this home environment from interrupting user conversations with the voice assistant. However, attacks that are able to permeate this noise pollution cancellation have been proven possible. These lingering security deficiencies make the voice capturing aspect of the Alexa a commonly targeted attack surface.

A very important aspect of the Amazon Alexa is its convenience. Once purchased, Amazon Echo device requires little set-up and can immediately be interacted with commands very similar to natural speech. Unfortunately, the Alexa lacks any form of voice-based authentication, allowing any voice within a home environment to interact and command Alexa. Therefore, any voice containing wake words can trigger Alexa. This has lead to the introduction of remote attacks, or attacks that take advantage of this lack of authentication by broadcasting commands over devices, such as television, radio, or speakers.

Remote Voice Attack: Due to the lack of proper user voice authentication, voice commands played by any speakers can falsely trigger Echo device to respond. In [4], researchers performed the remote voice attack in three different forms, injecting fake radio signals, replacing one TV channel with the provided video stream, and tricking a wireless speaker to play valid Echo commands.

Dolphin Attack: Dolphin attack is another form of remote attack that instead uses inaudible commands to trigger Alexa. This inaudibility is possible by modulating voice commands on ultrasonic carriers. Although dolphin attacks require ultrasound transducers to be within 2 meters of the Echo device, making it a less common threat than the remote device attacks, there is still a concern of whether these sorts of attacks will be able to lengthen its attack distance in the future [6].

Man-in-the-Middle: One research team was able to hack into an IoT device to attack the Alexa voice assistant. They used this along with several of the later mentioned techniques to implement a more sophisticated attack. Their “Man in the Middle” attack hijacks the conversation a user is having with their voice assistant without the user knowing. The first component of this attack is command jamming. They use the IoT device in order to inaudibly jam the commands the user is giving the voice assistant and simultaneously records them. When the user speaks the wake word, both the malicious and the voice assistant are activated. The malicious device uses an ultrasound modulated noise to prevent the voice assistant from understanding the user. The next component is data retrieval. Since the malicious device knows what skill the user was trying to use, it can send the same requests to the echo and find out the kind of data the user was looking for. The malicious device can now modify the data and complete the hijacking by echoing the information back to the user [14].

In cybersecurity, fingerprinting refers to a set of information that can be used to identify network protocols, operating systems, hardware devices, software among other things. Hackers use fingerprinting as the first step of their attack to gather maximum information about targets. The technique of fingerprinting can be used on the voice traffic between smart speakers and their cloud servers. In this attack, an adversary can eavesdrop both out-going and incoming encrypted voice traffic of a smart speaker, and infer which voice command a user says over encrypted traffic [15, 16].

These are attacks on the common SLU functionalities, ASR, NLU and TTS that Alexa voice service provides [10]. At this day in age, it is nearly impossible for software to perfectly understand everything a person is saying and correctly interpret intent. Homonyms and homophones are commonly misunderstood even by humans, and has currently been found to be near impossible for computers to accurately identify in human language [17]. Usually the language processing models are not accurate enough nor trained with other languages or accents. These deficiencies in Alexa’s SLU are the targets for this particular attack surface.

Skill Squatting: Skill Squatting is the creation of malicious skills that carry invocation and intent names that sound similar to the invocation and intent names of legitimate skills. Taking advantage of the easy misinterpretation of spoken word, skill squatting relies on the systematic errors produced from word-to-word, such as pauses or mispronunciations. The intent of this attack is to confuse the Alexa and empower the malicious skill to be used instead of the legitimate one, hijacking the legitimate skill. This technique can be focused on specific types of people by leveraging words that are only squattable in targeted users’ demographic [12, 18].

Malicious skills: Malicious skills can be interpreted as any skill that is intentionally designed to act against the interests of the user. This could be a skill that mines user data or hijacks private information, or simply a skill that falsely claims to be able to perform an action it is unable to do. Currently, there are several studies that show how easily malicious skills are able to bypass Amazon’s security and become available for public use on the official Amazon Alexa skill store [19, 20, 18]. In one study, researchers were able to publish hundreds of policy-violating skills onto the Alexa skill store for users to access. There proved to be many reasons why this attack surface in particular was so vulnerable [20].

In the current Amazon skill publishing system, once a user personally verifies that their skill follows Amazon policy, the skill is put up for review and screened by an Amazon official reviewer. If the official deems the skill as following customer policy, the skill becomes available for public consumption. In this way, while each skill is afforded the time and effort of an official review, the current Amazon skill publishing system is also very reliant on screening with little emphasis on objective automation. This subjective screening process leads to a dilemma of inconsistency. In other words, skill reviewers verify skills based on their own interpretation of the Amazon policy, meaning that the chance of a skill gets published is reliant not on the contents and intentions of the skill itself but of the skill reviewer assigned to its verification. This inconsistent verification process was demonstrated in a variety of different studies [19, 20, 18, 9].

In one specific example, researchers were also able to publish skills with malicious responses by delaying the response just enough to clear the process. Furthermore, if developers indicated (through a ”developer’s form” filled with yes or no questions) that their skill does not collect user information and data, they were granted publication onto the Amazon skill store, even if their indication was false, as that claim was often not verified by skill reviewers during the official review. This means that as well as relying on individual skill reviewers, Amazon is also reliant on individual developer honesty [20].

The research team also believed that the review process is largely manual due to the inconsistency in finding issues within skills which could have been easily found by automated systems. Additionally, there was evidence of many reviews being performed by non-native English speakers who may be unfamiliar with US laws [20]. The study found that the review process was not thorough enough to detect the malicious skills that had obvious policy-breaking functionalities. Through their research it can be suggested that the abundance of human reliance and lack of automation in the skill reviewing process is a security vulnerability [20].

Masquerading Attack: Alexa voice skill is also vulnerable to voice masquerading attack. This attack takes place when the adversary makes a malicious skill that mimics the behavior of a legitimate skill or even the VPA service. These skills are able to convince the user that they are using safe and secure functionalities when in reality, all of the information they have given their voice assistance has been compromised [18].

With the adoption of serverless architecture comes the risk of applications being developed by insecure code. The OWASP community reported that these applications are vulnerable to traditional application-level attacks, like Cross-Site Scripting (XSS), Command/SQL Injection, Denial of Service (DoS), broken authentication and authorization and many more [21].

Command/SQL Injection: With the coming of voice assistants comes the voice user interface (VUI) and the VUI introduces new ways of transferring information that aren’t secure or well monitored. This interface introduces a vulnerability into the Alexa system in the form of SQL injections. Attackers are able to use the VUI to interfere with queries to that the skills make to their databases and grant themselves access to otherwise sensitive data. In Black Hat Europe 2019, a group of researchers demonstrated that voice commands could also cause SQL injection if the Lambda function, processing user voice request, doesn’t have proper input validation [22].

Amazon Simple Storage Service (Amazon S3) is a scalable, high performance cloud storage service. An Amazon S3 bucket will be automatically created for storing media files when developers create an Alexa skill.

S3 Bucket Misconfiguration: The access control to an S3 bucket could be misconfigured, e.g., configuring a bucket as publicly accessible to give skills (voice apps) an easy access to all the hosted files. The problem is, anyone could find the bucket by its name and get access to all files hosted in that bucket. If that bucket happens to store some sensitive data such as private key or credentials, then those sensitive data would be leaked as well [23]. Moreover, since websites could load resources from publicly writable S3 buckets, and if those buckets got maliciously modified, then the messages returned by Alexa skills could be fake, similar to Burger King example.

One solution for protecting against remote voice capturing attacks is teaching Alexa to differentiate between live and recorded voices. Void, proposed as a lightweight voice liveness detection system, is such an example [24]. This software works to detect voice hacking attacks by finding the differences in spectral power (analysis of cumulative power patterns in spectrograms) between live-human voices and voices replayed through speakers through multiple deep learning models. Spectral power refers to the distribution of power into frequency components. Most loudspeakers inherently add distortions to original sounds while replaying them, making the overall power distribution over the audible frequency range show some uniformity and linearity.

Speaker-Sonar on the other hand is a sonar-based liveness detection system for smart speakers [25]. Sonar is a technique that uses sound propagation to detect objects. The key idea for this system was to ensure that the voice command is indeed coming from the user by tracking user movement through a constant stream of inaudible ultrasonic sound and comparing the direction of the received voice command to the user’s direction. This method in particular provided a non-intrusive user experience. However, it proved to only be reliably effectively in open outdoor spaces, as the highly decorated interiors of customer home environments proved to lessen the accuracy of the Speaker-Sonar system.

Protecting against Dolphin Attacks on the other hand requires a different set of solutions. A research team at Zhejiang University, the same research team that invented the Dolphin attack, introduced solutions for protecting against inaudible attacks. Hardware solutions for the inaudible attacks target the base of the problem. The root cause of dolphin attacks and other inaudible voice commands is that unfortunately, most commercial microphones attached to smart devices such as phones or voice assistants are able to detect acoustic sounds with frequencies higher than 20 kHz. Therefore, adjustments to microphones that suppress any acoustic signals whose frequencies are in the ultrasound range would effectively prevent many forms of inaudible attacks [6]. Additionally, inaudible voice commands are able to be canceled by adding a module to microphones that detects modulated voice commands within the ultrasound frequency range. This module would then work to demodulate the signals to obtain the baseband [6].

Under an encrypted traffic analysis attack, an attacker can effectively eavesdrop on encrypted user interactions with smart speakers. In order to protect against the privacy leakage of smart speakers through voice traffic fingerprinting, a solution called “adaptive padding” can be employed [15]. Adaptive padding refers to the addition of dummy packets to voice traffic, which are inserted based on the distribution of interarrival time while real packets still being sent at the original timestamp. This hides traffic bursts and traffic gaps, making encrypted user interactions with smart devices harder to interpret. Dummy packets produced by adaptive padding has the additional ability of sending buffered data sooner, effectively minimizing latency [15].

Alexa voice service misinterpretations is one the most exploited attack surfaces. As previously mentioned in Section III, some common attacks that target this attack surface are voice squatting attacks, voice masquerading attacks, and skill squatting attacks.

A possible countermeasure against voice squatting and voice masquerading attacks is a skill-name scanner [18]. The scanner would convert the invocation name string of a skill into a ARPABET-specified phonetic expression. This phonetic expression allows the phonetic distance between different skill names to be measured, and the skill names that are detected by the scanner to have a subset relation (considerable similarity) are deemed possible voice squatting attacks [18]. Another possible solution is to take the context info, e.g., user’s utterance and skill’s response, into consideration. An example of this is presented in [18], in which the authors built a context-sensitive detector that consists of two major components, a user intention classifier and a skill response checker, to detect if there is an impersonation and give users an alert if impersonation is detected. This would ensure that the response of the skill match the perceived user intentions.

All skills, as previously discussed in Section III, must go through a certification process before they can be published to the Alexa skill store for public consumption. Skill squatting attacks rely on attackers successfully registering malicious squatted skills. In other words, skill squatting attacks rely on the flaws of this certification process. Therefore, a possible prevention tactic against skill squatting attacks is improving the certification process by adding additional screens. For instance, a word-based and phoneme-based analysis of a new skill’s invocation name as a screening measure, in order to determine whether it could be confused for other already registered skills, would be an effective measure against skill squatting attacks [12].

Voice assistant providers, such as Amazon, have certification processes that insufficiently check the skills submitted to their stores. A study in [20], provided two recommendations to help the providers to enhance the trustworthiness of their system. Since developers have the power to change the functionality of skills after their certification, enforcing the skill behavior integrity throughout the skill life-cycle is necessary. A continuous certification/vetting process should be required whenever the developer wants to change either the front-end or the back-end. Although this may increase the latency of the certification process, it will improve its quality and increase the trustworthiness of the system.

Another observation of the certification process for skill is the room for human error in a human decision dependent vetting process. An obvious fix would be to utilize automated skill testing in order to improve the consistency of the verifications and help the testing to be more thorough. According to [20], they concluded that 234 skill submissions were done in a largely manual manner and had limited voice response testing. To further increase the strength of the certification process, voice assistant system providers need to have access to the skill’s back-end code to perform code analyses.

SQL injections have been around for a while and only because they still work and are effective at retrieving sensitive data. They are also effective at attacking the SQL databases used by Alexa skills if the Lambda functions are not up to par. One solution for that is to use Lambda-Proxy, which is an utility that could perform automated SQL injection testing for AWS Lambda functions [26, 27]. To better protect against Lambda based attacks, LambdaGuard, an AWS Lambda auditing tool could be used [28]. LambdaGuard is designed to provide visibility into Lambda functions, conduct configuration checks to identify potential vulnerabilities.

Due to human errors for configuring S3 bucket, it is necessary to have stricter default policies and tools to check for common configuration errors. In [23], the authors developed a tool for bucket owners to check the access policies of their S3 buckets and verify if readable buckets contain sensitive data such as privacy keys in .pem file. The same team also developed a browser extension for helping users to check if the rendered webpage loads resources from a writable S3 bucket [23]. If so, the extension will prevent loading those untrusted resources. The same idea could be adopted by Alexa system to verify the legitimacy of the source. If the queried website from a skill is publicly editable or loads resources from a writable S3 bucket, then those should be blocked from playing.