ADDRESSING SECURITY

CONCERNS IN AMAZON ALEXA

CASE STUDY

MAX CHRISTEAN ONG 101210046

SWINBURNE UNIVERSITY OF SARAWAK
1. Executive Summary
Digital voice assistants for the home have recently grown in popularity. These assistants,
such as Amazon Alexa and Google Home, let users operate smart devices and receive
assistance by using voice requests. This case study focuses on a strategic security plan for
Alexa's ecosystem, addressing four critical vulnerabilities. The plan emphasizes multi-factor
authentication implementation leveraging biometrics and device authentication, enhanced
privacy controls through encryption and user transparency, stricter access control for
connected devices, exploration of presence-based authentication, and continuous security
assessment with prompt updates. Implementation involves integrating advanced
authentication methods, deploying encryption and secure protocols, and conducting regular
assessments, supported by recommended technologies like biometrics, encryption,
proximity tools, and security scanners. This comprehensive plan aims to fortify Alexa's
security measures, mitigating threats and ensuring heightened user privacy and data
protection.

2. Introduction
The use of home digital voice assistant (HDVA) devices has grown significantly in recent
years. Predictions show that their numbers will more than triple, rising from 1.1 million in
2015 to 15.1 million by 2020, with a compound annual growth rate of 54.74% [1]. This spike
can be attributed in large part to the continuous efforts of key manufacturers like as Amazon
and Google, as well as third-party developers such as CapitalOne, Dominos, and Honeywell.
Voice commands now allow users to perform a wide range of tasks, including playing music,
ordering food, and shopping online, as well as managing schedules, checking the weather,
making payments, and controlling smart devices such as garage doors, plugs, and
thermostats. These assistants, like Amazon Alexa and Google Home, allow users to control
smart devices and receive help through voice commands. This research focuses on the
security issues of these assistants, particularly using Amazon Alexa as a case example.
We've identified four security weaknesses related to Alexa's access control. Victims can
suffer from fraud order attacks and home security breaches. All parties involved have
responsibility for these difficulties, including the HDVA service provider (such as Amazon),
the HDVA devices themselves, and third-party voice service developers. Both the Alexa and
Google Home services use a single-factor authentication technique that involves a
password-like speech prompt (e.g., "Alexa", "Hi, Google"). Any person or machine that
correctly utters this authentication word obtains the ability to issue voice commands that the
HDVA devices will accept, independent of the presence of authorised users. Without any
type of access restriction, these devices respond to sounds with a sound pressure level
(SPL) greater than 60 dB, without any form of access control [2]. Additionally, Alexa-enabled
smart devices lack access control measures, assuming that all voice commands from the
Alexa service are benign. Consequently, they become vulnerable to security threats when
false voice commands infiltrate the Alexa service.

3. Risk Analysis

Weak Single-factor Authentication

To authenticate users who want to use the voice service, Alexa uses a single-factor
authentication approach based on a password-like voice word. The Alexa services' voice
command recognition process does not evaluate whether the speakers are authorised users
(e.g., the Alexa device owner or the owner's family members), but rather the semantics of
the received voice commands [2]. As a result, any user who understands the voice
instructions can utilise Alexa on behalf of the victims.

• Severity: High. Unauthorized access to Alexa services could lead to compromised

personal information, unauthorized control of smart devices, and potential misuse of
services.
• Likelihood: Medium. While the flaw exists, the likelihood of exploitation might vary based
on the extent of voice command exposure.
• Impact: High. Unauthorized access can result in privacy breaches, financial risks (e.g.,
making unauthorized purchases), or controlling connected IoT devices.

Privacy Risk
The privacy and confidentiality of acquired data are key issues in every IoT system. In the
case of Alexa, the Internet of Things (IoT) gadgets put in people's homes are continually
gathering and transmitting data about their daily routines and activities. This data can reveal
very sensitive facts about their lives, such as when they are generally at home or even their
daily habits (for example, when they typically eat, sleep, and so on). If unauthorised parties
gain access to this information, it may expose individuals to physical or cybercrime dangers.
This poses a major danger to data privacy and confidentiality [4]. Personal and sensitive
data being monitored by IoT devices is the major asset in danger.

• Severity: High. Continuous listening and accidental activation pose severe risks to
privacy and confidentiality.
• Likelihood: Medium. Accidental activations have been reported but might not occur
frequently in all scenarios.
• Impact: High. Privacy breaches due to recorded conversations being sent to contacts
can lead to embarrassment, trust issues, and legal implications.

Insecure Access Control on Alexa-enabled Devices

Alexa users can control Alexa-enabled smart devices by speaking their names such as "My
Car" and commands "Close" through Alexa devices. Most vendors allow the default names
of their devices to be changed, but it is not always required. Because the device cloud
accepts all voice commands sent by Alexa, security threats caused by Alexa devices may
spread to them [2]. This insecure access control can exacerbate the damage caused by
Alexa's flaws.

• Severity: Medium. Insecure access control on connected smart devices could lead to
unauthorized control or manipulation of these devices.
• Likelihood: High. Default names and insecure access control are widespread issues that
increase the likelihood of exploitation.
• Impact: Medium. While the impact might not be as severe as direct access to Alexa, it
can still lead to privacy breaches and manipulation of connected devices.
No Physical Presence-based Access Control
The purpose of Alexa voice service is to assist users who are close to their Alexa device in
making service requests by speaking voice commands. Even when no one is nearby, the
device can still accept voice commands because it lacks presence-based access control. All
sounds that reach it at a sound pressure level (SPL) of 60 dB or above are effective [2]. As a
result, the Alexa device may successfully receive malicious voice commands from an
outsider outside the owner's space or a speaker device.

• Severity: High. Lack of physical presence-based access control poses a significant risk
as it allows for remote exploitation by adversaries or devices emitting the required sound
level.
• Likelihood: Medium. The potential for exploitation exists but might require specific
conditions (e.g., sound level, proximity) that might limit its occurrence.
• Impact: High. Unauthorized access can lead to similar consequences as the first risk,
enabling control over connected devices and compromising privacy.

4. Policy Formulation
1. Multi-factor Authentication Implementation
• Establish a policy requiring the use of multi-factor authentication (MFA) for Alexa
services. This policy aims to add layers of verification beyond voice-based
authentication.
• Define guidelines to integrate additional authentication factors like biometrics
(fingerprint, face recognition) or device authentication (via trusted devices) to
supplement voice-based authentication. This ensures a more robust and varied
authentication process.

Assumption 1: Resource Availability: Assumes the availability of adequate resources—

financial, technological, and human—to implement multi-factor authentication within the
Alexa ecosystem without substantial budgetary constraints or resource limitations.
Assumption 2: Technical Feasibility: Assumes the technical feasibility of integrating and
managing multi-factor authentication methods within the existing architecture of Alexa
devices and associated services without causing system disruptions or malfunctions.

2. Enhanced Privacy Controls and Transparency

• Enforce policies that mandate explicit user consent for data collection, storage, and
usage by Alexa devices. Users must actively agree to data collection processes.
• Implement mechanisms that increase transparency regarding data processing. This
allows users to understand how their data is being used and provides them with
greater control over their data privacy settings.

Assumption 1: Regulatory Compliance: Assumes alignment with existing and evolving

privacy regulations and standards. Assumes that implemented privacy controls comply with
legal frameworks, ensuring they meet regulatory requirements without hindering user
experience.
Assumption 2: User Understanding: Assumes users will grasp the nuances of explicit
consent for data collection and will actively engage with transparency features. Assumes
users will comprehend the implications of their choices regarding data usage and privacy
settings.

3. Stricter Access Control Standards for Connected Devices

• Establish protocols mandating secure naming conventions for all Alexa-enabled
smart devices. This prevents default or easily guessed names, promoting unique,
non-generic identifiers.
• Enforce stringent access control measures between Alexa and connected devices.
This prevents unauthorized access or manipulation of connected devices via Alexa.
Assumption 1: Vendor Collaboration: Assumes collaboration and cooperation from device
manufacturers to enforce secure naming conventions and access control measures.
Assumes vendors will align with imposed standards without significant resistance or
complications.
Assumption 2: User Adaptation: Assumes users will seamlessly adapt to and comply with
updated access control measures and naming conventions. Assumes minimal user
resistance to changing default names or undergoing additional setup processes.

4. Development of Presence-based Authentication

• Initiate research and development efforts aimed at implementing presence-based
authentication mechanisms for Alexa devices.
• Encourage the integration of proximity-based controls. This ensures that voice
commands are only accepted when the authorized user is near the device,
enhancing security against remote unauthorized access.
Assumption 1: User Acceptance: Assumes users will readily adopt and adapt to presence-
based authentication mechanisms, engaging with any necessary setup or calibration
procedures to enable accurate proximity-based authentication.

5. Continuous Security Assessment and Updates

• Implement a policy mandating regular security assessments and updates for Alexa
devices and associated services to address emerging threats and vulnerabilities.
• Ensure continuous monitoring and prompt response to security issues identified
through threat intelligence and user feedback Ensure continuous monitoring for
emerging threats and vulnerabilities. Promptly respond to security issues identified
through threat intelligence and user feedback, facilitating swift updates and patches
to mitigate risks.
These high-level policy statements aim to mitigate the most urgent threats associated with
Alexa's vulnerabilities. They focus on enhancing authentication methods, strengthening
privacy controls, enforcing access control standards, exploring new authentication
paradigms, and maintaining proactive security measures.

6. Implementation of the security programme

1. Multi-factor Authentication Implementation:
• Technology: Implement a combination of biometrics (e.g., fingerprint, facial
recognition) and device authentication (e.g., token-based authentication) alongside
voice recognition for multi-factor authentication.
 • Deployment: Integrate biometric authentication modules within Alexa devices.
Implement device authentication through secure tokens or certificates linked to user
accounts.
• Manual Controls: Develop a process for users to enrol their biometric data securely.
Establish protocols for managing and revoking device authentication tokens.

2. Enhanced Privacy Controls and Transparency:

• Technology: Utilize encryption protocols (e.g., AES-256) for data transmission and
storage. Implement privacy dashboards or settings within the Alexa app for user
consent and control over data usage.
• Deployment: Encrypt data transmission between Alexa devices and cloud servers.
Develop user-friendly interfaces within the Alexa app for users to manage data
permissions and view data usage.
• Manual Controls: Implement a user education program explaining privacy settings
and data usage, empowering users to make informed choices.

3. Stricter Access Control Standards for Connected Devices:

• Technology: Deploy unique identifiers (UUIDs) for each connected device,
disallowing default names. Utilize secure communication protocols (e.g., TLS)
between Alexa and connected devices.
• Deployment: Update the firmware of connected devices to support UUID assignment.
Implement secure communication protocols within the Alexa ecosystem.
• Manual Controls: Establish a validation process for device manufacturers to ensure
compliance with naming conventions and secure communication standards.

4. Development of Presence-based Authentication:

• Technology: Explore Bluetooth Low Energy (BLE) or RFID technologies to enable
proximity-based authentication. Develop algorithms to ascertain the user's presence
near the Alexa device.
• Deployment: Integrate BLE or RFID modules within Alexa devices. Develop firmware
updates to support proximity-based authentication.
• Manual Controls: Develop guidelines for users to calibrate and authenticate their
devices within proximity.

5. Continuous Security Assessment and Updates:

• Technology: Implement automated vulnerability scanning tools (e.g., Nessus,
OpenVAS) for regular security assessments. Use over-the-air (OTA) update
mechanisms for timely deployment of security patches.
• Deployment: Schedule periodic vulnerability scans for Alexa devices and associated
cloud services. Set up OTA update channels to ensure prompt delivery of security
patches.
• Manual Controls: Establish a response team to assess and validate vulnerability scan
results. Develop a change management process for approving and deploying
updates.
7. Summary

The security enhancement plan for Alexa's ecosystem comprises four high-level policies to
address urgent threats:

1. Multi-factor Authentication Implementation:

Utilize biometrics and device authentication alongside voice recognition for enhanced user
verification.
2. Enhanced Privacy Controls and Transparency:
Implement encryption for data transmission, introduce privacy settings, and ensure user
consent and control over data usage.
3. Stricter Access Control Standards for Connected Devices:
Deploy unique identifiers for devices, disallow default names, and enforce secure
communication protocols.
4. Development of Presence-based Authentication:
Explore proximity-based technologies for authentication, enabling verification based on user
proximity to Alexa devices.

Recommended implementation:

• Integrate biometrics and device authentication within Alexa devices.

• Implement encryption and privacy settings in the Alexa app for user control.
• Update connected devices to support unique identifiers and secure communication.
• Research BLE or RFID for proximity-based authentication in Alexa devices.
• Schedule vulnerability scans, establish OTA update channels, and form a response team
for security patches.
• Recommended technologies include biometric modules, encryption (AES),
communication protocols (TLS), proximity technologies (BLE, RFID), and security tools
(Nessus, OpenVAS).

References

[1] D. Watkins and J. Branca, "Strategy Analytics: Amazon, Google to Ship Nearly 3 Million
Digital Voice Assistant Devices in 2017," Strategy Analytics, 5 October 2016. [Online].
Available: https://www.strategyanalytics.com/strategy-analytics/news/strategy-analytics-
press-releases/strategy-analytics-press-release/2016/10/05/strategy-analytics-amazon-
google-to-ship-nearly-3-million-digital-voice-assistant-devices-in-2017#.WQtiXeXyuUk.

[2] X. Lei, T. Guan Yu, A. X. Liu, A. Kamran, C.-Y. Li and T. Xie, "The Insecurity of Home
Digital Voice Assistants – Vulnerabilities, Attacks and Countermeasures," 2017.
[3] A. Alrawais, A. R. Alhothaily, C. Hu and X. Cheng, "Fog computing for the internet of
things: Security and privacy issue," IEEE Internet Computing, vol. 21, no. 2, pp. 34 - 42,
2017.

[4] S. Pathak, S. A. Islam, H. Jiang, L. Xu and E. Tomai, "A survey on security analysis of
Amazon echo devices," High-Confidence Computing.