Researchers show Alexa “skill squatting” could hijack voice commands

Article intro image

Enlarge (credit: Amazon)

a paper presented at USENIX Security Symposium in Baltimore this month) is currently limited to the Amazon Alexa platform—but it reveals a weakness that other voice platforms will have to resolve as they widen support for third-party applications. Ars met with the UIUC team (which is comprised of Deepak Kumar, Riccardo Paccagnella, Paul Murley, Eric Hennenfent, Joshua Mason, Assistant Professor Adam Bates, and Professor Michael Bailey) at USENIX Security. We talked about their research and the potential for other threats posed by voice-based input to information systems.

Its master’s voice

There have been a number of recent demonstrations of attacks that leverage voice interfaces. In March, researchers showed that, even when Windows 10 is locked, the Cortana “assistant” responds to voice commands—including opening websites. And voice-recognition-enabled IoT devices have been demonstrated to be vulnerable to commands from radio or television ads, YouTube videos, and small children.

Read 12 remaining paragraphs | Comments

Just say no: Wi-Fi-enabled appliance botnet could bring power grid to its knees

Enlarge / Reddy Kilowatt is not ready for IoT botnets. (credit: EC Comics (formerly Educational Comics))

causing local blackouts and even cascading failures of regional electrical grids. The research by Soltan, Prateek Mittal, and H. Vincent Poor used models of real-world power grids to simulate the effects of a “MaDIoT” (Manipulation of Demand Internet of Things) attack. It found that even swings in power usage that would be within the normal range of appliances such as air conditioners, ovens, and electric heating systems connected to “smart home” systems would be enough to cause fluctuations in demand that could trigger grid failures.

These kinds of attacks—focused on home-automation hubs and stand-alone connected appliances—have not yet been seen widely. But the increasing adoption of connected appliances (with many home appliances now coming with connectivity by default) and the difficulty of applying security patches to such devices make a Mirai-style botnet of refrigerators increasingly plausible, if not likely.

Soltan and his team looked at three possible categories of potential malicious demand manipulation:

Read 2 remaining paragraphs | Comments