TU Darmstadt / ULB / TUbiblio

Alexa Lied to Me: Skill-based Man-in-the-Middle Attacks on Virtual Assistants

Mitev, Richard ; Miettinen, Markus ; Sadeghi, Ahmad-Reza (2019)
Alexa Lied to Me: Skill-based Man-in-the-Middle Attacks on Virtual Assistants.
ASIACCS 2019. Auckland, New Zealand (Juli 2019)
doi: 10.1145/3321705.3329842
Konferenzveröffentlichung, Erstveröffentlichung

Kurzbeschreibung (Abstract)

Voice-based virtual personal assistants such as Amazon’s Alexa or Google Assistant have become highly popular and are used for diverse daily tasks ranging from querying on-line information, shopping, smart home control and a variety of enterprise application scenarios. Capabilities of virtual assistants can be enhanced with so-called Skills , i.e., programmatic extensions that allow thirdparty providers to integrate their services with the respective voice assistant.

In this paper, we show that specially crafted malicious Skills can use the seemingly limited Skill interaction model to cause harm. We present novel man-in-the-middle attacks against benign Skills and Virtual Assistant functionalities. Our attack uses loopholes in the Skill interface to redirect a victim’s voice input to a malicious Skill, thereby hijacking the conversation between Alexa and the victim. To the best of our knowledge this is the first man-in-the-middle attack targeting the Skill ecosystem. We present the design of our attack and demonstrate its feasibility based on a proof-of-concept implementation attacking the Alexa Skills of a smart lock as well as a home security system.

Typ des Eintrags: Konferenzveröffentlichung
Erschienen: 2019
Autor(en): Mitev, Richard ; Miettinen, Markus ; Sadeghi, Ahmad-Reza
Art des Eintrags: Erstveröffentlichung
Titel: Alexa Lied to Me: Skill-based Man-in-the-Middle Attacks on Virtual Assistants
Sprache: Englisch
Publikationsjahr: Juli 2019
Ort: Darmstadt
Verlag: ACM
Titel der Zeitschrift, Zeitung oder Schriftenreihe: Proceedings of the 2019 on Asia Conference on Computer and Communications Security
Veranstaltungstitel: ASIACCS 2019
Veranstaltungsort: Auckland, New Zealand
Veranstaltungsdatum: Juli 2019
DOI: 10.1145/3321705.3329842
URL / URN: https://tuprints.ulb.tu-darmstadt.de/8689
Kurzbeschreibung (Abstract):

Voice-based virtual personal assistants such as Amazon’s Alexa or Google Assistant have become highly popular and are used for diverse daily tasks ranging from querying on-line information, shopping, smart home control and a variety of enterprise application scenarios. Capabilities of virtual assistants can be enhanced with so-called Skills , i.e., programmatic extensions that allow thirdparty providers to integrate their services with the respective voice assistant.

In this paper, we show that specially crafted malicious Skills can use the seemingly limited Skill interaction model to cause harm. We present novel man-in-the-middle attacks against benign Skills and Virtual Assistant functionalities. Our attack uses loopholes in the Skill interface to redirect a victim’s voice input to a malicious Skill, thereby hijacking the conversation between Alexa and the victim. To the best of our knowledge this is the first man-in-the-middle attack targeting the Skill ecosystem. We present the design of our attack and demonstrate its feasibility based on a proof-of-concept implementation attacking the Alexa Skills of a smart lock as well as a home security system.

URN: urn:nbn:de:tuda-tuprints-86890
Sachgruppe der Dewey Dezimalklassifikatin (DDC): 000 Allgemeines, Informatik, Informationswissenschaft > 004 Informatik
600 Technik, Medizin, angewandte Wissenschaften > 600 Technik
Fachbereich(e)/-gebiet(e): 20 Fachbereich Informatik
20 Fachbereich Informatik > Sicherheit in der Informationstechnik
Hinterlegungsdatum: 11 Aug 2019 19:55
Letzte Änderung: 08 Dez 2023 08:32
PPN:
Export:
Suche nach Titel in: TUfind oder in Google
Frage zum Eintrag Frage zum Eintrag

Optionen (nur für Redakteure)
Redaktionelle Details anzeigen Redaktionelle Details anzeigen