CVE-2018-11567

https://notcve.org/view.php?id=CVE-2018-11567

Prior to 2018-04-27, the reprompt feature in Amazon Echo devices could be misused by a custom Alexa skill. The reprompt feature is designed so that if Alexa does not receive an input within 8 seconds, the device can speak a reprompt, then wait an additional 8 seconds for input; if the user still does not respond, the microphone is then turned off. The vulnerability involves empty output-speech reprompts, custom wildcard ("gibberish") input slots, and logging of detected speech. If a maliciously designed skill is installed, an attacker could obtain transcripts of speech not intended for Alexa to process, but simply spoken within the device's hearing range. NOTE: The vendor states "Customer trust is important to us and we take security and privacy seriously. • https://info.checkmarx.com/hubfs/Amazon_Echo_Research.pdf https://www.checkmarx.com/2018/04/25/eavesdropping-with-amazon-alexa https://www.wired.com/story/amazon-echo-alexa-skill-spying https://www.yahoo.com/news/amazon-alexa-bug-let-hackers-104609600.html • CWE-384: Session Fixation •