Abstract
Voice assistant platforms have revolutionized user interactions with connected vehicles, providing the convenience of controlling them through simple voice commands. However, this innovation also brings about significant cyber-risks to voice-controlled vehicles. This paper presents a novel attack that showcases the ability of a “malicious” skill, utilizing the skill ranking system on the Alexa platform, to hijack voice commands originally intended for a benign third-party connected vehicle skill. Through our evaluation, we demonstrate the effectiveness of this attack by successfully hijacking commonly used commands in commercial connected vehicle skills.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Alexa: The scalable neural architecture behind alexa’s ability to select skills. https://www.amazon.science/blog/the-scalable-neural-architecture-behind-alexas-ability-to-select-skills/
Amazon: Authorization controller interface. https://developer.amazon.com/en-US/docs/alexa/automotive/alexa-authorizationcontroller.html/
Amazon: Connected car skills market. https://www.amazon.com/s?k=vehicle &i=alexa-skills/
Amazon: Connected vehicle overview. https://developer.amazon.com/en-US/docs/alexa/automotive/connected-vehicle-overview.html/
Amazon: Connected vehicle skills for alexa. https://developer.amazon.com/en-US/docs/alexa/automotive/connected-vehicle-overview.html/
Cheng, L., Wilson, C., Liao, S., Young, J., Dong, D., Hu, H.: Dangerous skills got certified: Measuring the trustworthiness of skill certification in voice personal assistant platforms. In: ACM SIGSAC Conference on Computer and Communications Security (CCS) (2020)
Compustar: Cs4900-s remote start. https://www.compustar.com/bundles/cs4900-s/
Edu, J., Ferrer-Aran, X., Such, J., Suarez-Tangil, G.: Measuring alexa skill privacy practices across three years. In: Proceedings of the ACM Web Conference (WWW), p. 670–680 (2022)
Esposito, S., Sgandurra, D., Bella, G.: Alexa versus alexa: controlling smart speakers by self-issuing voice commands. arXiv preprint arXiv:2202.08619 (2022)
Kim, Y.B., Kim, D., Kumar, A., Sarikaya, R.: Efficient large-scale neural domain classification with personalized attention. In: Proceedings of the 56th Annual Meeting of the Association for Computational Linguistics (Volume 1: Long Papers), pp. 2214–2224 (2018)
Kumar, D., Paccagnella, R., Murley, P., Hennenfent, E., Mason, J., Bates, A., Bailey, M.: Skill Squatting Attacks on Amazon Alexa. In: 27th USENIX Security Symposium (USENIX Security). pp. 33–47 (2018)
Lentzsch, C., Shah, S.J., Andow, B., Degeling, M., Das, A., Enck, W.: Hey Alexa, is this skill safe? taking a closer look at the Alexa skill ecosystem. In: Proceedings of the 28th ISOC Annual Network and Distributed Systems Symposium (NDSS) (2021)
Lentzsch, C., Shah, S.J., Andow, B., Degeling, M., Das, A., Enck, W.: Hey Alexa, is this skill safe? taking a closer look at the Alexa skill ecosystem. In: 28th Annual Network and Distributed System Security Symposium, NDSS (2021)
Seminatore, M.: Alexa tesla. https://github.com/mseminatore/alexa-tesla/
Wang, D., Chen, K., Wang, W.: Demystifying the vetting process of voice-controlled skills on markets. Proceedings of the ACM on Interactive, Mobile, Wearable and Ubiquitous Technologies 5(3), 1–28 (2021)
Zhang, N., Mi, X., Feng, X., Wang, X., Tian, Y., Qian, F.: Dangerous skills: understanding and mitigating security risks of voice-controlled third-party functions on virtual personal assistant systems. In: 2019 IEEE Symposium on Security and Privacy (SP), pp. 1381–1396 (2019). https://doi.org/10.1109/SP.2019.00016
Zhang, Y., Xu, L., Mendoza, A., Yang, G., Chinprutthiwong, P., Gu, G.: Life after speech recognition: fuzzing semantic misinterpretation for voice assistant applications. In: Network and Distributed System Security Symposium (NDSS) (2019)
Acknowledgment
This material is based upon work supported in part by the National Science Foundation (NSF) under Grant No. 2239605, 2129164, 2228617, 2120369, 2226339, and 2037798.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2024 ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering
About this paper
Cite this paper
Ding, W. et al. (2024). Exploring Vulnerabilities in Voice Command Skills for Connected Vehicles. In: Chen, Y., Lin, CW., Chen, B., Zhu, Q. (eds) Security and Privacy in Cyber-Physical Systems and Smart Vehicles. SmartSP 2023. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 552. Springer, Cham. https://doi.org/10.1007/978-3-031-51630-6_1
Download citation
DOI: https://doi.org/10.1007/978-3-031-51630-6_1
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-51629-0
Online ISBN: 978-3-031-51630-6
eBook Packages: Computer ScienceComputer Science (R0)