CVE-2018-11567
First published: Wed May 30 2018(Updated: )
** DISPUTED ** Prior to 2018-04-27, the reprompt feature in Amazon Echo devices could be misused by a custom Alexa skill. The reprompt feature is designed so that if Alexa does not receive an input within 8 seconds, the device can speak a reprompt, then wait an additional 8 seconds for input; if the user still does not respond, the microphone is then turned off. The vulnerability involves empty output-speech reprompts, custom wildcard ("gibberish") input slots, and logging of detected speech. If a maliciously designed skill is installed, an attacker could obtain transcripts of speech not intended for Alexa to process, but simply spoken within the device's hearing range. NOTE: The vendor states "Customer trust is important to us and we take security and privacy seriously. We have put mitigations in place for detecting this type of skill behavior and reject or suppress those skills when we do. Customers do not need to take any action for these mitigations to work."
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| All of | ||
| Amazon Echo Show Firmware | <2018-04-27 | |
| Amazon Echo Show Firmware | ||
| All of | ||
| Amazon Echo Plus | <2018-04-27 | |
| Amazon Echo Plus Firmware | ||
| All of | ||
| Amazon Echo Dot | <2018-04-27 | |
| Amazon Echo Dot | ||
| All of | ||
| Amazon Echo Spot Firmware | <2018-04-27 | |
| Amazon Echo Spot Firmware | ||
| All of | ||
| Amazon Echo Firmware | <2018-04-27 | |
| Amazon Alexa | ||
| Amazon Echo Show Firmware | <2018-04-27 | |
| Amazon Echo Show Firmware | ||
| Amazon Echo Plus | <2018-04-27 | |
| Amazon Echo Plus Firmware | ||
| Amazon Echo Dot | <2018-04-27 | |
| Amazon Echo Dot | ||
| Amazon Echo Spot Firmware | <2018-04-27 | |
| Amazon Echo Spot Firmware | ||
| Amazon Echo Firmware | <2018-04-27 | |
| Amazon Alexa |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2018-11567?
CVE-2018-11567 is a vulnerability that existed prior to 2018-04-27 in the reprompt feature of Amazon Echo devices.
How does the reprompt feature in Amazon Echo devices work?
The reprompt feature in Amazon Echo devices is designed to speak a reprompt if Alexa doesn't receive an input within 8 seconds, and wait for an additional 8 seconds for input.
What is the impact of CVE-2018-11567?
The impact of CVE-2018-11567 is that a custom Alexa skill could misuse the reprompt feature to potentially eavesdrop on conversations.
Which Amazon Echo devices are affected by CVE-2018-11567?
Amazon Echo devices with firmware versions up to and excluding 2018-04-27 are affected by CVE-2018-11567.
How can I protect myself from CVE-2018-11567?
To protect yourself from CVE-2018-11567, ensure that your Amazon Echo device firmware is updated to a version after 2018-04-27.
- agent/references
- agent/type
- agent/severity
- agent/weakness
- agent/author
- agent/status
- agent/description
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/first-publish-date
- agent/event
- agent/last-modified-date
- agent/source
- agent/tags
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- collector/nvd-index
- vendor/amazon
- canonical/amazon echo show firmware
- canonical/amazon echo plus
- canonical/amazon echo plus firmware
- canonical/amazon echo dot
- canonical/amazon echo spot firmware
- canonical/amazon echo firmware
- canonical/amazon alexa
- status/disputed