Audio Signal Command Injection in Amazon Echo Devices
CVE-2023-33248

7.6HIGH

Key Information:

Vendor: Amazon
Status: Alexa
Vendor: CVE Published:; 24 May 2023

What is CVE-2023-33248?

The Amazon Alexa software in Echo Dot 2nd and 3rd generation devices is vulnerable to a sophisticated form of command injection that exploits audio signals within the 16 to 22 kHz frequency range. This range often goes unheard by the average human, allowing attackers to issue security-relevant commands that typically would not be communicated by legitimate users. Due to the nature of these commands and the lack of audible detection, a significant portion of these attacks can succeed without detection, posing a serious security risk to users reliant on these smart devices.

References

https://cios2023.org/papers

https://www.usenix.org/system/files/sec23fall-prepub-261-...

https://sites.google.com/view/nuitattack/home

CVSS V3.1

Score:

7.6

Severity:

HIGH

Confidentiality:

Low

Integrity:

High

Availability:

Low

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 24, 2023
Vulnerability Reserved
May 21, 2023