Yuval Ron, M.Sc. Thesis Seminar
Tuesday, 24.3.2020, 13:00
Advisor: Prof. Eli Biham and Amichai Shulman
Voice assistants are designed to make our lives easier. By responding to spoken commands and questions, they provide a natural way of interaction with computers and smartphones. The problem starts when these voice assistants run by default even when the device is locked, which requires vendors to balance comfort with security. In this talk, I will take the audience on an amusing journey of discovering more than twenty new security vulnerabilities in popular voice assistants, and the fascinating battle of vendors to patch these flaws with minimum effort and public exposure. Exploiting the vulnerabilities allows attackers to run arbitrary executables on the locked device, access private information, and even to steal the user's money. This journey demonstrates the difficulty of tying up together new interfaces with old security assumptions, the catastrophic outcome of breaking these assumptions, and the importance of implementing the learned lessons in future integrations. As a summary, I point out the main failures that led to these vulnerabilities and present some innovative concepts that should be introduced into the voice assistant architecture to avoid such mishaps.