题名

藉由智慧音箱竊取隱私之攻擊演示

并列篇名

Demonstration of Privacy Stealing Attack via Smart Speakers

作者

李建賢(Jian-Xian Li);孫沛靖(Pei-Jing Sun);吳介騫(Jieh-Chian Wu)

关键词

智慧音箱 ; 語音助理 ; 隱私 ; Smart Speaker ; Voice Assistant ; Privacy

期刊名称

資訊安全通訊

卷期/出版年月

26卷3期(2020 / 08 / 01)

页次

1 - 19

内容语文

繁體中文
中文摘要

近年來,智慧音箱的產品逐漸成熟與普及。由於智慧音箱的語音助理一直在聆聽用戶下指令以便啟動服務,這將導致資訊安全上有漏洞。我們發現:小米智慧音箱上連接埠的root簽入密碼,不是沒有設定、就是以特定的方式設定,以至於可以利用系統指令來存取。當我們以root簽入系統後,可以將惡意軟體注入小米智慧音箱系統中,以此達成:在麥克風被設定為關閉的情況下,竊聽用戶與語音助理的對話、並竊取用戶隱私資料。我們演示了三個攻擊場景,分別是:竊聽、魚叉式釣魚、以及被動式釣魚。最後,根據所演示的攻擊,我們分為對於廠商、及用戶,提出建議的緩解方法。
英文摘要

Recently, the product of smart speakers becomes mature and popular. Since the voice assistant of the smart speaker is always listening to users' commands to issue services, it leads to security vulnerabilities. We find that the login password for root access to the UART ports of the XIAOMI smart speakers is either not configured or configured by certain pattern which can be accessed by using system commands. After login as root, we can inject malware into XIAOMI smart speakers so that we can eavesdrop on conversations between user and voice assistant to perform privacy stealing attack, even when users turn off the microphone. We demonstrate three attack scenarios including eavesdropping, spear phishing, and passive phishing. Finally, we propose mitigations to such attacks for both manufacturers and user.
主题分类 基礎與應用科學 > 資訊科學
参考文献
  1. CVE-2020-8994: Common Vulnerabilities and Exposures, https://cve.mitre.org/cgi-bin/cvename.cgi?name.https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8994
  2. CVE-2020-10262: Common Vulnerabilities and Exposures, https://cve.mitre.org/cgi-bin/cvename.cgi?name.https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10262
  3. CVE-2020-10263: Common Vulnerabilities and Exposures, https://cve.mitre.org/cgi-bin/cvename.cgi?name.https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10263
  4. Candid, W.(2017).,未出版
  5. Cheng, P.(ed.),Bagci, I.E.(ed.),Yan, J.(ed.),Roedig, U.(ed.)(2019).Smart Speaker Privacy Control - Acoustic Tagging for Personal Voice Assistants.IEEE Workshop on the Internet of Safe Things
  6. Clinton, I.,Cook, L.,Banik, S.(2016).A survey of various methods for analyzing the amazon echo.South Carolina:The Citadel, The Military College of South Carolina.
  7. Eoghan, F.,Juanita, B.(2018).She Knows Too Much – Voice Command Devices and Privacy.2018 29th Irish Signals and Systems Conference
  8. B. Eric. Is There An Echo In Here? What You Need To Consider About Privacy Protection: Forbes Legal Council; 2017, https://www.forbes.com/sites/forbeslegalcouncil/2017/09/18/is-there-an-echo-in-here-what-you-need-to-consider-about-privacy-protection/#72f7d9fa38fd.
  9. Ford, M.,Palmer, W.(2019).Alexa, are you listening to me? An analysis of Alexa voice service network traffic.Personal and Ubiquitous Computing,23(1),67-79.
  10. Hart, L.(2018).Smart speakers raise privacy and security concerns.Journal of Accountancy,225(6),70.
  11. Jackson, C.,Orebaugh, A.(2018).A study of security and privacy issues associated with the Amazon Echo.International Journal of Internet of Things and Cyber-Assurance,1(1),91-100.
  12. Kumar, D.,Paccagnella, R.,Murley, P.,Hennenfent, E.,Mason, J.,Bates, A.(2018).Skill Squatting Attacks on Amazon Alexa.27th USENIX Security Symposium
  13. Lau, J.(ed.),Zimmerman, B.(ed.),Schaub, F.(ed.).,未出版
  14. Lau, J.,Zimmerman, B.,Schaub, F.(2018).Alexa, are you listening?: Privacy perceptions, concerns and privacy-seeking behaviors with smart speakers.Proceedings of the ACM on Human-Computer Interaction, vol.2,issue.CSCW
  15. Lee, J.-s.,Kang, S.-y.,Kim, S.-j.(2018).Study on the AI Speaker Security Evaluations and Countermeasure.Journal of the Korea Institute of Information Security and Cryptology,28,1523-1537.
  16. B. Mark. Alexa, are you listening? , https://labs.f-secure.com/archive/alexa-are-you-listening/?fbclid=IwAR3iSLzk2PauTFxarV2wM0MzCn0Dbjd82Spoe7kRQiAgqLJpL2Cf1KN1oMQ. (2017/8/1).
  17. Park, Y.,Choi, H.,Cho, S.,Kim, Y.-G.(2019).Security Analysis of Smart Speaker: Security Attacks and Mitigation.Computers, Materials and Continua,61,1075-1090.
  18. Shawn, G.(ed.),Brett, G.(ed.),Kanwalinderjit, G.(ed.)(2019).Future Security of Smart Speaker and IoT Smart Home Devices.2019 Fifth Conference on Mobile and Secure Services (MobiSecServ)
  19. Smart Spies: Alexa and Google Home expose users to vishing and eavesdropping: Security Research Labs, https://srlabs.de/bites/smart-spies/.
  20. Speech recognition: Wikipedia, The Free Encyclopedia., https://en.wikipedia.org/w/index.php?title=Speech_recognition&oldid=949143164.(2020/4/4).
  21. Speech synthesis: Wikipedia, The Free Encyclopedia., https://en.wikipedia.org/w/index.php?title=Speech_synthesis&oldid=949282784.(2020/4/5).
  22. Xiao, X.-T.,Kim, S.-I.(2018).A Study on the User Experience of Smart Speaker in China - Focused on Tmall Genie and Mi AI Speaker.Journal of Digital Convergence,16(10),409-414.
print cancel