Abstract

Internet of Things (IoT) devices are on the rise along with a need for an easy way to control them. Several companies have attempted to fill this void with the two largest and most successful being Google’s Home, and Amazon’s Echo. Both of these devices are considered personal assistance devices that connect to and control many smart home devices and conduct other tasks via spoken commands. We decided to focus our testing on the Amazon Echo with plans to conduct similar testing on a Google Home in the future. There are many personal blogs discussing different methods of attacking the companion phone App or the device’s setup. For our research, we conducted a field attack on an Amazon Echo to simulate real world exploitation of the system. This entails the discovery of the device on a real world network, and gaining unauthorized control through voice exploitation. We recommend to Amazon that they password protect by default all functions that involve a financial transaction.

Published in: World Congress on Internet Security (WorldCIS-2017)

  • Date of Conference: 11-14 December 2017
  • DOI: 10.2053/WorldCIS.2017.0020
  • ISBN: 978-1-908320-81-0
  • Conference Location: University of Cambridge, UK