All Your Alexa Are Belong to Us: A Remote Voice Control Attack against Echo

Abstract

Voice controlled system becomes increasingly popular these days due to the convenient and natural control over lots of functionalities and smart devices. Amazon Echo, designed around Alexa, is capable of controlling smart devices such as locks, sending emails, making phone calls, and even bridging the gap between online services such as Twitter, Facebook, etc. Previously, researchers demonstrated that by carefully crafting obfuscated commands or transmitting commands over ultrasound carrier, voice controlled systems can be compromised without people's awareness. However, those researches require the target voice controlled systems to be close enough to their speaker or ultrasound transducer. In this paper, we proposed REEVE (REmotE VoicE control) attack that can manipulate Amazon Alexa remotely, e.g., via signal broadcasting to compromise radio, TV, speaker, etc. It works on behalf of the attackers to operate various commands beneficial to them. By analyzing more than 15,000 Alexa skills and 600 IFTTT Applets related to Alexa, we found that more than 100 of them can be used to attack Echo. We also thoroughly scrutinized the attack surface of Echo's voice control and conducted security analysis based on different consequences.