MITRE disputed

** DISPUTED ** Prior to 2018-04-27, the reprompt feature in Amazon Echo devices could be misused by a custom Alexa skill. The reprompt feature is designed so that if Alexa does not receive an input within 8 seconds, the device can speak a reprompt, then wait an additional 8 seconds for input; if the user still does not respond, the microphone is then turned off. The vulnerability involves empty output-speech reprompts, custom wildcard ("gibberish") input slots, and logging of detected speech. If

Prior to 2018-04-27, the reprompt feature in Amazon Echo devices could be misused by a custom Alexa skill. The reprompt feature is designed so that if Alexa does not receive an input within 8 seconds, the device can speak a reprompt, then wait an additional 8 seconds for input; if the user still does not respond, the microphone is then turned off. The vulnerability involves empty output-speech reprompts, custom wildcard ("gibberish") input slots, and logging of detected speech. If a maliciously 

AND
     OR
          *cpe:2.3:o:amazon:echo_dot_firmware:*:*:*:*:*:*:*:* versions up to (excluding) 2018-04-27
     OR
          cpe:2.3:h:amazon:echo_dot:-:*:*:*:*:*:*:*

AND
     OR
          *cpe:2.3:o:amazon:echo_firmware:*:*:*:*:*:*:*:* versions up to (excluding) 2018-04-27
     OR
          cpe:2.3:h:amazon:echo:-:*:*:*:*:*:*:*

AND
     OR
          *cpe:2.3:o:amazon:echo_plus_firmware:*:*:*:*:*:*:*:* versions up to (excluding) 2018-04-27
     OR
          cpe:2.3:h:amazon:echo_plus:-:*:*:*:*:*:*:*

AND
     OR
          *cpe:2.3:o:amazon:echo_show_firmware:*:*:*:*:*:*:*:* versions up to (excluding) 2018-04-27
     OR
          cpe:2.3:h:amazon:echo_show:-:*:*:*:*:*:*:*

AND
     OR
          *cpe:2.3:o:amazon:echo_spot_firmware:*:*:*:*:*:*:*:* versions up to (excluding) 2018-04-27
     OR
          cpe:2.3:h:amazon:echo_spot:-:*:*:*:*:*:*:*

(AV:N/AC:M/Au:N/C:P/I:N/A:N)

Victim must voluntarily interact with attack mechanism

AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

CWE-384

https://info.checkmarx.com/hubfs/Amazon_Echo_Research.pdf No Types Assigned

https://info.checkmarx.com/hubfs/Amazon_Echo_Research.pdf Exploit, Third Party Advisory

https://www.checkmarx.com/2018/04/25/eavesdropping-with-amazon-alexa/ No Types Assigned

https://www.checkmarx.com/2018/04/25/eavesdropping-with-amazon-alexa/ Third Party Advisory

https://www.wired.com/story/amazon-echo-alexa-skill-spying/ No Types Assigned

https://www.wired.com/story/amazon-echo-alexa-skill-spying/ Press/Media Coverage, Third Party Advisory

https://www.yahoo.com/news/amazon-alexa-bug-let-hackers-104609600.html No Types Assigned

https://www.yahoo.com/news/amazon-alexa-bug-let-hackers-104609600.html Press/Media Coverage, Third Party Advisory

Prior to 2018-04-27, the reprompt feature in Amazon Echo devices could be misused by a custom Alexa skill. The reprompt feature is designed so that if Alexa does not receive an input within 8 seconds, the device can speak a reprompt, then wait an additional 8 seconds for input; if the user still does not respond, the microphone is then turned off. The vulnerability involves empty output-speech reprompts, custom wildcard ("gibberish") input slots, and logging of detected speech. If a maliciously 

** DISPUTED ** Prior to 2018-04-27, the reprompt feature in Amazon Echo devices could be misused by a custom Alexa skill. The reprompt feature is designed so that if Alexa does not receive an input within 8 seconds, the device can speak a reprompt, then wait an additional 8 seconds for input; if the user still does not respond, the microphone is then turned off. The vulnerability involves empty output-speech reprompts, custom wildcard ("gibberish") input slots, and logging of detected speech. If