AVS Security Requirements
Commercially distributed devices must meet the following minimum security requirements. The Amazon Developer Services Agreement requires that developers must implement all reasonable security measures to prevent unauthorized access to the Alexa Voice Service (AVS).
Requirements versus recommendations
This document uses following terms to signify requirements and recommendations:
- SHALL: Items preceded by SHALL are requirements for all commercial product releases.
- SHOULD: Items preceded by SHOULD are recommendations for all commercial product releases. These best practices help to improve the Alexa experience for customers.
This page was last updated on October 18, 2021.
1.1. Device SHALL use a secure software update distribution that uses cryptographic signing so that only authentic and authorized updates are applied to the device.
1.2. Device SHALL implement industry standard device hardening methods. For example, prohibiting default passwords, removing unnecessary network services and software, validating inputs before processing it in services on the device, and applying all security patches to vulnerable open source software.
1.3. Device SHALL use TLS 1.2 or greater for all communications to Alexa endpoints outside of initial setup. You SHALL have the Amazon Trust Services root CAs installed in the CA bundle. The device SHALL implement certificate validation for all such TLS connections and SHALL validate that connections to the device are signed using the correct Amazon certificate. Initial setup SHALL NOT include the transmission of credentials over a non-TLS session.
1.4. Company SHALL have a software maintenance update strategy that specifically defines how software updates will be created and distributed within a reasonable period of discovery when vulnerabilities are identified.
1.5. Company SHALL publish information in English and any other appropriate language on company's public website about vulnerability reporting program (VRP) and how security researchers can submit security vulnerability reports of their devices.
1.6. Company SHALL implement and share with Amazon a security response plan that describes how company will proceed if a security incident arises, when company will communicate with Amazon on an incident, and the estimated timelines for remediation of an incident.
1.7. Company SHALL provide a report from an independent security expert or a certified security specialist who has conducted an in-depth security review of the device.
1.8. Company SHALL submit reports of known exploitable security vulnerabilities that exist on the device, along with a plan to fix the vulnerabilities.
1.9. Device SHALL support Secure Connections when using Bluetooth BR/EDR or Bluetooth Low Energy (BLE).
1.10. Device SHALL support Security Mode 4 Level 4 when using Bluetooth BR/EDR protocols and services.
1.11. Device SHALL support Security Mode 1 Level 4 when using Bluetooth Low Energy (BLE) protocol and services.
1.12. Device SHALL use the Privacy feature when using the Bluetooth Low Energy (BLE) protocol.
1.13. Company SHALL submit an un-encrypted file system image (full firmware) of the device for scanning vulnerabilities in operating system and open source software components. This requirement applies to a new device or an existing device upgrading SDK versions.
1.14. Device SHALL protect local Amazon software from unauthorized access. For example, on-device MiTM attack or display hijacking.
1.15. Device SHALL implement a hardware based on/off control mechanism for any microphones and cameras. This control must remove power from the microphones/camera and include a dedicated microphone/camera status indicator to inform users of the on/off status.
1.16. Device SHALL use a chipset that relies on hardware-based security capabilities and meets PSA certified Level 1 or similar.
1.17. Company SHALL confirm that device software components and use of Amazon SDKs must not violate the license terms of the SDKs.
1.18. Device SHOULD use a fleet management solution, such AWS IoT Device Management or similar.
1.19. Company SHOULD get security assessment for the companion app from an authorized security lab based on industry security standard. For example, OWASP Mobile Top 10 or similar.