Study on the Smart Speaker Security Evaluations and Countermeasures

Abstract

The smart speaker provides users with useful functions such as music playback and online search with simple operation. However, since smart speakers always wait for the user’s voice, if they are exposed to security threats, serious problems can occur such as eavesdropping and privacy disclosure. Therefore, in order to provide improved security for of all smart speakers, it is necessary to identify potential security threats and systematically investigate vulnerabilities. In this paper, we perform security threat modeling for four products with high market share. STRIDE threat modeling was used to make a checklist for systematic vulnerability checks and the checklist was used to check vulnerabilities of commercial devices. Here, we propose a new method to improve the security of smart speaker through the analysis of the vulnerability check result and the vulnerability of each product.

Appendices

Appendices

1.1 Data Flow Diagram

1.2 Attack Library

No	Year	Type	Source/Author	Title
1	2011	Conference	Black Hat 2011/Joe Grand	Hardware Reverse Engineering: Access, Analyze,& Defeat
2	2013	Conference	DEFCON 21/Phorkus and Evilrob	Hacking Embedded Devices, Doing Bad Things to Good Hardware
3	2013	Conference	Black Hat 2013/J Zaddach	Embedded Devices Security and Firmware Reverse Engineering
4	2014	Conference	Australian Information Security Management Conference/Veelasha Moonsamy, Lynn Batten	Mitigating man-in-the-middle attacks on smartphones – a discussion of SSL pinning and DNSSec
5	2015	Conference	Zeronights/Alexander, Boris	Practical Firmware Reversing and Exploit Development for AVR-based Embedded Devices
6	2015	Conference	International Telemetering Conference/Wondimu Zegeye, Richard A Dean, Farzad Moazzami, Yacob Astatke	Exploiting Bluetooth Low Energy Pairing Vulnerability in Telemedicine
7	2017	Conference	Black Hat 2017/Ben Seri and Alon Livne	Exploiting BlueBorne in Linux-based IoT devices
8	2017	Conference	HITBSecConf/Slawomir Jasek	Blue picking – hacking Bluetooth Smart Locks
9	2018	Conference	DEFCON 26/Tencent Blade Team	Breaking Smart Speaker, We are Listening to you
10	2017	Conference	Black Hat 2017/Sen Nie, Ling Liu, Yuefeng Du	Free-Fall: Hacking Tesla from Wireless to CAN BUS
11	2016	Conference	Black Hat 2016/Chilik Tamir	Su-a-Cyder: Home-Brewing iOS Malware Like a B0$$
12	2011	Conference	28th Chaos Communication Congress/Dario Carluccio	Smart Hacking for Privacy
13	2018	Vulnerability	CVE	CVE-2018-9070
14	2016	Web document	Cert Italia	Malware Android “CALLJAM” SCOPERTO SU GOOGLE PLAY
15	2016	Web document	Cert Italia	“DRESSCODE”: NUOVO MALWARE ANDROID SCOPERTO SU GOOGLE PLAY
16	2014	Web document	DistriNet	LINDDUN: Privacy Threat Modeling
17	2017	Paper	University of Notre Dame/Yuan Gong, Christian Poellabauer	Crafting Adversarial Examples for Computational Paralinguistic Applications
18	2010	Paper	IEEE Design & Test of Computers	Attacks and Defenses for JTAG
19	2013	Paper	NDSS 2013/Ang Cui, Michael Costello, Salvatore J. Stolfo	When Firmware Modifications Attack: A Case Study of Embedded Exploitation
20	2014	Paper	2014 IEEE Symposium on Security and Privacy/Lin Shung Huang, Alex Rice, Erling Ellingsen	Analyzing Forged SSL Certificates in the Wild
21	2015	Paper	IJRSCSE 2015/Vimalesh Kumar Dubey, Kumari Vaishali, Nishant Behar, Manish Shrivastava	A Review on Bluetooth Security Vulnerabilities and a Proposed Prototype Model for Enhancing Security against MITM Attack
22	2016	Paper	USENIX 2016/Nicholas Carlini, Pratyush Mishra, Tavish Vaidya, Yuankai Zhang, David Wagner	Hidden Voice Commands
23	2017	Paper	IEEE Computer Society/Hyunji Chung, Michaela loarga, Jeffrey Voas, Sangjin Lee	Alexa, Can I Trust You?
24	2017	Paper	ACM Conference on Computer and Communications Security(CCS)/Xiaoyu Ji	DolphinAttack: Inaudible Voice Commands
25	2017	Paper	MIT/William Haach, Michael Wallace	Security Analysis of the Amazon Echo
26	2017	Paper	Michigan State University/Xinyu Lei, Guan-Hua Tu, Alex X. Liu	The Insecurity of Home Digital Voice Assistants - Amazon Alexa as a Case Study
27	2017	Paper	ACM CCS 2017/Mathy Vanhoef	Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2
28	2017	Paper	Personal and Ubiquitous Computing/Da-Zhi Sun, Yi Mu, Willy Susilo	Man-in-the-middle attacks on Secure Simple Pairing in Bluetooth standard V5.0 and its countermeasure
29	2017	Paper	Australian Information Security Management Conference/Brian Cusack, Bryce Antony, Gerard Ward	Assessment of security vulnerabilities in wearable devices
30	2014	Paper	2014 ACM SIGSAC Conference on Computer and Communications Security/Yeongjin Jang, Chengyu Song, Simon P. Chung, Tielei Wang, Wenke Lee	A11y Attacks: Exploiting Accessibility in Operating Systems
31	2018	Paper	Deep Learning and Security Workshop/Nicholas Carlini, David Wagner	Audio Adversarial Examples: Targeted Attacks on Speech-to-Text
32	2018	Paper	NIPS 2017 Machine Deception workshop/Moustafa Alzantot	Did you hear that? Adversarial Examples Against Automatic Speech Recognition
33	2018	Paper	Beijing Key Laboratory of IoT Information Security Technology/Nan Zhang, Xianghang Mi, Xuan Feng	Understanding and Mitigating the Security Risks of Voice-Controlled Third-Party Skills on Amazon Alexa and Google Home
34	2018	Paper	Rongjunchen Zhang, Xiao Chen, Jianchao Lu	Using AI to Hack IA: A New Stealthy Spyware Against Voice Assistance Functions in Smart Phones
35	2018	Paper	ACMSE 2018/Richmond, Kentucky	Testing vulnerabilities in Bluetooth Low Energy
36	2017	Paper	IEEE Access/Efthimios Alepis, Constantinos Patsakis	Monkey Says, Monkey Does: Security and Privacy on Voice Assistants
37	2015	Paper	IEEE Transactions on Electromagnetic Compatibility/Chaouki Kasmi, Jose Lopes Esteves	IEMI Threats for Information Security: Remote Command Injection on Modern Smartphones
38	2015	Paper	UseNIX 2015/Tavish Vaidya, Yuankai Zhang, Micah Sherr, Clay Shields	Cocaine Noodles: Exploiting the Gap between Human and Machine Speech Recognition
39	2017	Paper	CSAE 2017/Xiao Fu, Zhijian Wang, Yong Chen, Feng Ye	Research on Android Application Package Stealth Download Hijacking
40	2018	Paper	Ben Gurion University/Or Ami, Yuval Elovici, Danny Hendler	Ransomware Prevention using Application Authentication-Based File Access Control
41	2017	Paper	ICISS 2017/Anis Bkakria, Mariem Graa, Nora Cuppens-Boulahia	Experimenting Similarity-Based Hijacking Attacks Detection and Response in Android Systems
42	2012	Paper	SEC 2012/Alessandro Armando, Alessio Merlo, Mauro Migliardi, Luca Verderame	Would you mind Forking This Process? A Denial of Service attack on Android
43	2014	Paper	SPSM 2014/Steven Arzt, Stephan Huber, Siegfried Rasthofer, Eric Bodden	Denial-of-App Attack: Inhibiting the Installation of Android Apps on Stock Phones
44	2017	Paper	ASIA CCS 2017/Behnaz Hassanshahi, Roland H.C. Yap	Android Database Attacks Revisited
45	2017	Paper	IJCSMC 2017/Zainab S. Alwan, Manal F. Younis	Detection and Prevention of SQL Injection Attack: A Survey
46	2017	Paper	2017 IEEE Symposium on Security and Privacy/Nethanel Gelernter, Senia Kalma, Bar Magnezi, Hen Porcilan	The Password Reset MitM Attack
47	2017	Paper	ISC 2017/XingXing Wang	Improving Password Guessing using Byte Pair Encoding
48	2015	Paper	IJCSIT 2015/Aqib Malik	A Model to Restrict Online Password Guessing Attacks
49	2018	Paper	IEEE 2018/Roberto Merco	Replay Attack Detection in a Platoon of Connected Vehicles with Cooperative Adaptive Cruise Control
50	2017	Paper	INTERSPEECH 2017/Parav Nagarsheth	Replay Attack Detecting using DNN for Channel Discrimination
51	2017	Paper	2017 IEEE International Symposium on Circuits and Systems/Mohammad Raashid Ansari	A low-cost masquerade and replay attack detection method for CAN in automobiles
52	2018	Paper	Georgetown University Law Center/David A. Hyman	Implementing Privacy Policy: Who should Do What?
53	2015	Paper	Journal of Computer and Security/Nader Sohrabi Safa	Information security policy compliance model in organizations
54	2017	Paper	23rd ACM SIGKDD/Lu Zhang	Achieving Non-Discrimination in Data Release
55	2015	Paper	Privacy Enhancing Technologies/Reza Shokri	Privacy Games: Optimal User-Centric Data Obfuscation
56	2017	Paper	Cryptography and Security/Samuel Yeom	Privacy Risk in Machine Learning: Analyzing the Connection to Overfitting
57	2017	Paper	International Conference on Advances in Electrical, Electronics, Information, Communication and Bio-Informatics/Ashalatha R	Data storage security algorithms for multi cloud environment
58	2015	Paper	International Conference on Next Generation Computing Technologies/Preeti Sirohi	Cloud computing data storage security framework relating to data integrity, privacy and trust
59	2014	Paper	Intelligent Information Hiding and Multimedia Signal Processing/Jen Ho Yang	An ID-Based User Authentication Scheme for Cloud Computing
60	2016	Paper	IEEE Signal Processing Magazine/Vishal M. Patel	Continuous User Authentication on Mobile Devices: Recent progress and remaining challenges
61	2012	Technical Report	SANS/Neil Jones	Exploiting Embedded Devices
62	2012	Technical Report	Inverse Path/Andrea Barisani, Daniele Bianco	Practical Exploitation of Embedded Systems
63	2015	Technical Report	Samsclass/Sam Bowne	Making an SSL Auditing Proxy with a Mac and Burp
64	2016	Technical Report	Vanderpot/Ike Clinton, Lance Cook, Dr. Shankar Banik	A Survey of Various Methods for Analyzing the Amazon Echo
65	2016	Technical Report	Oxford University	Security Vulnerabilities in Speech Recognition Systems
66	2016	Technical Report	Vanderpot	Amazon Echo Rooting: Part 1
67	2016	Technical Report	Vanderpot	Amazon Echo Rooting: Part 2
68	2017	Technical Report	MWR labs/Mark Barnes	Alexa, are you listening?
69	2017	Technical Report	medium.com/micaksica	Exploring the Amazon Echo Dot, Part 1: Intercepting firmware updates
70	2017	Technical Report	medium.com/micaksica	Exploring the Amazon Echo Dot, Part 2: Into MediaTek utility hell
71	2017	Technical Report	NowSecure/Rono Dasgupta	Certificate pinning for Android and iOS: Mobile man-in-the-middle attack prevention
72	2017	Technical Report	Securing/Slawomir Jasek	Gattacking Bluetooth Smart Devices
73	2018	Technical Report	CanSecWest/HyperChem	Practical JTAG: From 0 to 1
74	2015	Technical Report	Charlie Miller, Chris Valasek	Remote Exploitation of an Unaltered Passenger Vehicle
75	2018	Technical Report	IEEE Security & Privacy/Lee Garber	Security, Privacy, Policy, and Dependability Roundup

1.3 STRIDE

Type	No	Name		Threat description	Attack library	Threat No
Entity	E1	User	S	The attacker masquerades as a User	18, 24, 25, 27	T1
			R	The attacker denies the control of the speaker	18, 24, 25, 27	T2
Entity	E2	Provider	S	The attacker masquerades as a Provider	36, 45	T3
			R	The attacker denies the provided of the speaker	36, 45	T4
Process	P1	Register Speaker	T	Threats to manipulate authentication values in transit	4, 10, 13, 16, 31, 57	T5
			I	Threats that expose User’s ID, Password	4, 13, 16, 22, 31, 43	T6
			D	Threats that prevent you from performing User authentication by passing invalid argument values	4, 10, 31, 43, 57	T7
Process	P2	Authentication	T	Threats to manipulate authentication values in transit	4, 13, 20, 31, 43, 57	T8
			I	Threats that expose User’s ID, Password	4, 13, 20, 22, 31, 43	T9
			D	Threats that disable data transmission of authentication values	4, 20, 31, 43	T10
			E	Threats to gain the privileges of a router through a specific attack	20, 29, 30	T11
Process	P3	Routing	S	After an attacker obtains an administrator account using a random assignment attack, Attacker masquerades as a administrator	29, 30	T12
			T	Threats to tamper with existing file system files	29, 30, 45	T13
			R	Threats denying actions such as accessing, running, or tampering with the file system	29, 30, 43, 45	T14
			I	Threats that expose users’ data flowing through the router	4, 13, 20, 22, 31, 43	T15
Process	P4	Request Smart Speaker Command	S	Disguised as user through long distance voice command	16, 18	T16
			S	Disguised as a user using voice commands over a communication medium	16, 18	T17
			S	Beyond the wall, disguised as a user through voice commands	16, 18	T18
			S	Disguised as user through high frequency voice attack	15, 17, 18, 24, 25, 39, 46	T19
			R	Threat of denying high frequency voice attacks	15, 17, 18, 24, 25, 39, 46	T20
			I	Threats that expose your information through malicious voice	6, 18, 23, 24, 26, 39, 46	T21
			D	Threats that cannot use speakers through malicious voice	6, 18, 23, 24, 39, 46	T22
Process	P5	Detect Wake Word	S	An attacker masquerades as a user and instructs the speaker	6, 16, 18, 23, 24, 25, 26, 27, 39, 46	T23
			R	Threat of denying of attacker’s voice	6, 16, 18, 23, 24, 25, 26, 27, 39, 46	T24
Process	P6	Execute Voice Data	S	Using IP spoofing to trick speakers into disguise as a server	4, 13, 23, 31	T25
			T	Threats to send manipulated voice files to speakers	4, 13, 23	T26
			R	Threats that an attacker denies camouflage and tampering	4, 13, 23	T27
			D	Threats that do not use speakers through manipulated voice files	6, 23, 24	T28
Process	P7	Periodic Firmware Check	T	Threats to modify firmware information	4, 5, 12, 38, 43, 49	T29
			I	Threats that expose firmware information	4, 5, 12, 38, 43, 49	T30
			D	Threats that make the update impossible by modifying version information	12, 43, 49	T31
Process	P8	Publish Firmware Updates	S	Malicious firmware disguised as normal firmware	1, 5, 12, 38, 49	T32
			T	Threats to modify firmware to update	1, 3, 12, 38, 43, 49	T33
			R	Threat to denial of tampered firmware installation	1, 12, 38, 43, 49	T34
			I	Threats that expose the system information contained in the firmware	5, 12, 38, 41, 49	T35
			I	Threats to fetch firmware files	1, 5, 12, 38, 41, 43, 49	T36
			D	Threats to disable firmware updates	12, 43, 49	T37
Process	P9	Install Firmware	T	Threats to modify firmware	1, 3, 5, 10, 11, 32, 34, 35, 40, 41, 42, 45, 49	T38
			R	Threat to deny firmware tampering and installation	1, 3, 10, 32, 34, 35, 40, 41, 42, 45, 49	T39
			D	threat that disables system operation by installing corrupted firmware	1, 3, 5, 10, 11, 32, 34, 35, 40, 42, 45, 49	T40
			E	Threat that an attacker installs a malicious file	1, 3, 5, 10, 11, 32, 34, 35, 40, 41, 42, 45, 49	T41
			E	Threat that user’s voice eavesdropping through modulated firmware	5, 12, 38, 49	T42
Process	P10	Publish Applications	S	Disguising a malicious application as a normal application	12, 36, 50, 51, 52, 54	T43
			T	Threats to tamper with installed applications	36, 50, 52, 54	T44
			R	Threat to denial of application installation history	36, 50, 54	T45
			I	Threats that expose information in the application	36, 50, 54	T46
			E	Threats that control smartphone functionality through malicious applications	36, 47, 48, 51	T47
Process	P11	Publish Application Updates	S	Malicious application disguised as normal application	12, 36, 50, 51, 52, 54	T48
			T	Threats to tamper with updated applications	12, 50, 52, 54	T49
			R	Threat to denial of application tampering	12, 50, 52, 54	T50
			I	Threats that expose information in application	36, 50, 54	T51
			D	Threats that disable application updates	12, 50, 54	T52
Process	P12	Install, Uninstall Application	T	Threats to install moderated files	36, 38, 50, 51	T53
			D	Threats that disrupt system operation by installing corrupted files	36, 51, 54	T54
			E	Threats that unauthorized users install files	36, 51, 54	T55
Process	P13	Periodic Application Check	T	Threats to tamper with application information	4, 13, 43	T56
			I	Threats that expose application information	4, 13, 22, 31, 43, 54	T57
			D	Threats that make the update impossible by modifying version information	4, 13, 31, 43, 54	T58
Process	P14	Application Login	S	masquerades as a user through password guessing attack	59, 60	T59
			S	Disguised as user through replay attack	61, 62, 63	T60
			I	Threats that exposed authentication values are exposed	4, 13, 31, 53, 54	T61
			I	Threats that expose other information needed for additional authentication	4, 13, 22, 31, 53, 54	T62
			D	Threats that make login page inaccessible	4, 13, 31, 53	T63
			D	Threats that exceed the number of login attempts and make normal access impossible	4, 53	T64
			E	Threats accessible to user accounts using exposed authentication values	4, 13, 54	T65
Process	P15	Bluetooth Pairing	S	Disguised as user through replay attack	61, 62, 63	T66
			T	Threat of modifying transmission information of Bluetooth	7, 9, 14, 21	T67
			I	Threats that Bluetooth transmission information is exposed	7, 9, 14, 21, 28	T68
			D	Threat that Bluetooth pairing impossible	9, 14, 21	T69
			E	Threats to gain the rights of a device through a particular attack	8, 44	T70
Data Store	D1	Smart Speaker	T	Speaker system files, threats to tamper with memory	1, 3, 5, 10, 11, 32, 34, 35, 40, 41, 42, 45, 49	T71
			R	The threat that an attacker controls the device and denies this behavior	6, 16, 18, 19, 24, 25, 33, 39, 46	T72
			I	Threats that expose sensitive information (voice, schedule, etc.)	6, 16, 18, 19, 23, 24, 25, 33, 34, 35, 37, 39, 46	T73
			D	threat that prevents a device from being used for a certain amount of time	6, 10, 16, 23, 24, 25, 32, 34, 35, 39, 40, 42, 53	T74
Data Store	D2	User Smart phone	T	a threat that modifies memory on smartphone	1, 2, 29, 30	T75
			R	Threats denying access to system files memory on smart phones	1, 2, 29, 30	T76
			I	Threats that expose system files, memory contents on smart phones	1, 2, 3, 29, 30	T77
			D	Threats that do not provide service due to memory corruption	29, 30, 53, 54	T78
			D	Threats that fail to provide services due to network paralysis	29, 30, 53, 54	T79
Data Store	D3	Firmware Data Store	T	Threats to manipulate transmitted firmware	12, 43, 49, 58	T80
			I	Threats that expose firmware data	10, 12, 16, 18, 41, 43, 49, 58	T81
			D	Threats not uploading firmware	12, 43, 58	T82
Data Store	D4	Database	T	Threats to transmit modulated data	4, 10, 31, 43	T83
			R	Threat denying modulated data transmission	4, 31, 43	T84
			I	Threats that expose your sensitive information	4, 10, 19, 22, 31, 43	T85
			D	Threats that fail to provide services through arbitrary queries	10, 55, 56	T86
Data Store	D5	App Store	T	Threat to upload moderated apps to the App Store server	47, 48	T87
			R	Threats denying access to the App Store server	47, 48	T88
			I	Threats to exposure of application data	19, 22	T89
Data Store	D6	Smart Speaker Voice Server	T	The threat that an attacker sends a malformed voice file to the server	18, 24, 25	T90
			R	A threat that denies attackers from sending malformed voice files to the server	18, 24, 25	T91

1.4 Attack Tree