TU Darmstadt / ULB / TUprints

Alexa Lied to Me: Skill-based Man-in-the-Middle Attacks on Virtual Assistants

Mitev, Richard ; Miettinen, Markus ; Sadeghi, Ahmad-Reza (2019)
Alexa Lied to Me: Skill-based Man-in-the-Middle Attacks on Virtual Assistants.
ASIACCS 2019. Auckland, New Zealand (09.07.2019-12.07.2019)
Conference or Workshop Item, Primary publication

[img]
Preview
Alexa Lied to Me: Skill-based Man-in-the-Middle Attacks on Virtual Assistants - Text (PDF)
Mitev-ASIACCS-2019.pdf - Accepted Version
Copyright Information: In Copyright.

Download (1MB) | Preview
Item Type: Conference or Workshop Item
Type of entry: Primary publication
Title: Alexa Lied to Me: Skill-based Man-in-the-Middle Attacks on Virtual Assistants
Language: English
Date: 9 August 2019
Place of Publication: Darmstadt
Publisher: ACM
Journal or Publication Title: Proceedings of the 2019 on Asia Conference on Computer and Communications Security
Event Title: ASIACCS 2019
Event Location: Auckland, New Zealand
Event Dates: 09.07.2019-12.07.2019
Corresponding Links:
Abstract:

Voice-based virtual personal assistants such as Amazon’s Alexa or Google Assistant have become highly popular and are used for diverse daily tasks ranging from querying on-line information, shopping, smart home control and a variety of enterprise application scenarios. Capabilities of virtual assistants can be enhanced with so-called Skills , i.e., programmatic extensions that allow thirdparty providers to integrate their services with the respective voice assistant.

In this paper, we show that specially crafted malicious Skills can use the seemingly limited Skill interaction model to cause harm. We present novel man-in-the-middle attacks against benign Skills and Virtual Assistant functionalities. Our attack uses loopholes in the Skill interface to redirect a victim’s voice input to a malicious Skill, thereby hijacking the conversation between Alexa and the victim. To the best of our knowledge this is the first man-in-the-middle attack targeting the Skill ecosystem. We present the design of our attack and demonstrate its feasibility based on a proof-of-concept implementation attacking the Alexa Skills of a smart lock as well as a home security system.

URN: urn:nbn:de:tuda-tuprints-86890
Classification DDC: 000 Generalities, computers, information > 004 Computer science
600 Technology, medicine, applied sciences > 600 Technology
Divisions: 20 Department of Computer Science > Security in Information Technology
Date Deposited: 09 Aug 2019 11:37
Last Modified: 08 Nov 2024 10:46
URI: https://tuprints.ulb.tu-darmstadt.de/id/eprint/8689
PPN:
Export:
Actions (login required)
View Item View Item