This year, I delivered a talk at DEF CON 29 IoT village on the social exploitation of victims proxied through Alexa voice assistant devices.
Check out the Video here!!!
The talk was live-streamed on Twitch on Friday, August 6th at 3:30pm PT on the IoT Village Twitch Channel. If you missed the live talk, check out the video on YouTube here:
What's the talk about???
As voice assistant technologies (such as Amazon Alexa and Google Assistant) become increasingly sophisticated, we are beginning to see adoption of these technologies in the workplace. Whether supporting conference room communications, or even supporting interactions between an organization and its customers — these technologies are becoming increasingly integrated into the ways that we do business. While implementations of these solutions can streamline operations, they are not always without risk. During this talk, the speaker will discuss lessons learned during a recent penetration test of a large-scale “Alexa for Business” implementation in a hospital environment where voice assistants were implemented to assist with patient interactions during the peak of the COVID-19 pandemic. The speaker will provide a live demonstration of how a cyber-criminal could potentially use pre-staged AWS Lambda functions to compromise an “Alexa for Business” device with less than one-minute of physical access. Multiple attack scenarios will be discussed to include making Alexa verbally abuse her users (resulting in possible reputation damage), remote eavesdropping on user interactions, and even active “vishing” (voice phishing) attacks to obtain sensitive information. Finally, the talk will conclude with a discussion of best-practice hardening measures that can be taken to prevent your “Alexa for Business” devices from being transformed into foul-mouthed miscreants with malicious intent.
Comments
Post a Comment