CVE-2018-11567
Summary
| CVE | CVE-2018-11567 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2018-05-30 22:29:00 UTC |
| Updated | 2023-11-07 02:51:00 UTC |
| Description | ** DISPUTED ** Prior to 2018-04-27, the reprompt feature in Amazon Echo devices could be misused by a custom Alexa skill. The reprompt feature is designed so that if Alexa does not receive an input within 8 seconds, the device can speak a reprompt, then wait an additional 8 seconds for input; if the user still does not respond, the microphone is then turned off. The vulnerability involves empty output-speech reprompts, custom wildcard ("gibberish") input slots, and logging of detected speech. If a maliciously designed skill is installed, an attacker could obtain transcripts of speech not intended for Alexa to process, but simply spoken within the device's hearing range. NOTE: The vendor states "Customer trust is important to us and we take security and privacy seriously. We have put mitigations in place for detecting this type of skill behavior and reject or suppress those skills when we do. Customers do not need to take any action for these mitigations to work." |
Risk And Classification
Problem Types: CWE-384
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Hardware | Amazon | Echo | - | All | All | All |
| Hardware | Amazon | Echo | - | All | All | All |
| Hardware | Amazon | Echo Dot | - | All | All | All |
| Hardware | Amazon | Echo Dot | - | All | All | All |
| Operating System | Amazon | Echo Dot Firmware | All | All | All | All |
| Operating System | Amazon | Echo Dot Firmware | All | All | All | All |
| Operating System | Amazon | Echo Firmware | All | All | All | All |
| Operating System | Amazon | Echo Firmware | All | All | All | All |
| Hardware | Amazon | Echo Plus | - | All | All | All |
| Hardware | Amazon | Echo Plus | - | All | All | All |
| Operating System | Amazon | Echo Plus Firmware | All | All | All | All |
| Operating System | Amazon | Echo Plus Firmware | All | All | All | All |
| Hardware | Amazon | Echo Show | - | All | All | All |
| Hardware | Amazon | Echo Show | - | All | All | All |
| Operating System | Amazon | Echo Show Firmware | All | All | All | All |
| Operating System | Amazon | Echo Show Firmware | All | All | All | All |
| Hardware | Amazon | Echo Spot | - | All | All | All |
| Hardware | Amazon | Echo Spot | - | All | All | All |
| Operating System | Amazon | Echo Spot Firmware | All | All | All | All |
| Operating System | Amazon | Echo Spot Firmware | All | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Eavesdropping with Amazon Alexa | MISC | www.checkmarx.com | Third Party Advisory |
| Turning an Amazon Echo Into a Spy Device Only Took Some Clever Coding | WIRED | MISC | www.wired.com | Press/Media Coverage, Third Party Advisory |
| Amazon fixes Alexa bug that let Echo keep listening | MISC | www.yahoo.com | Press/Media Coverage, Third Party Advisory |
| info.checkmarx.com/hubfs/Amazon_Echo_Research.pdf | MISC | info.checkmarx.com | Exploit, Third Party Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.