The insecurity of home digital voice assistants - Vulnerabilities, attacks and countermeasures

Xinyu Lei*, Guan Hua Tu, Alex X. Liu, Chi-Yu Li, Tian Xie

*Corresponding author for this work

Research output: Chapter in Book/Report/Conference proceedingConference contribution

7 Scopus citations

Abstract

Home Digital Voice Assistants (HDVAs) are getting popular in recent years. Users can control smart devices and get living assistance through those HDVAs (e.g., Amazon Alexa, Google Home) using voice. In this work, we study the insecurity of HDVA services by using Amazon Alexa and Google Home as case studies. We disclose three security vulnerabilities which root in their insecure access control. We then exploit them to devise two proof-of-concept attacks, home burglary and fake order, where the adversary can remotely command the victim's HDVA device to open a door or place an order from Amazon.com or Google Express. The insecure access control is that HDVA devices not only rely on a single-factor authentication but also take voice commands even if no people are around them. We thus argue that HDVAs should have another authentication factor, a physical presence based access control; that is, they can accept voice commands only when any person is detected nearby. To this end, we devise a Virtual Security Button (VSButton), which leverages the WiFi technology to detect indoor human motions. Once any indoor human motion is detected, the HDVA device is enabled to accept voice commands. Our evaluation results show that it can effectively differentiate indoor motions from the cases of no motion and outdoor motions in both laboratory and real world settings.

Original languageEnglish
Title of host publication2018 IEEE Conference on Communications and Network Security, CNS 2018
PublisherInstitute of Electrical and Electronics Engineers Inc.
ISBN (Print)9781538645864
DOIs
StatePublished - 10 Aug 2018
Event6th IEEE Conference on Communications and Network Security, CNS 2018 - Beijing, China
Duration: 30 May 20181 Jun 2018

Publication series

Name2018 IEEE Conference on Communications and Network Security, CNS 2018

Conference

Conference6th IEEE Conference on Communications and Network Security, CNS 2018
CountryChina
CityBeijing
Period30/05/181/06/18

Fingerprint Dive into the research topics of 'The insecurity of home digital voice assistants - Vulnerabilities, attacks and countermeasures'. Together they form a unique fingerprint.

  • Cite this

    Lei, X., Tu, G. H., Liu, A. X., Li, C-Y., & Xie, T. (2018). The insecurity of home digital voice assistants - Vulnerabilities, attacks and countermeasures. In 2018 IEEE Conference on Communications and Network Security, CNS 2018 [8433167] (2018 IEEE Conference on Communications and Network Security, CNS 2018). Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/CNS.2018.8433167