AVS Security Requirements
Commercially distributed devices must meet the following minimum security requirements. The Amazon Developer Services Agreement requires that developers must implement all reasonable security measures to prevent unauthorized access to the Alexa Voice Service (AVS).
Requirements versus recommendations
This document uses following terms to signify requirements and recommendations:
- SHALL: Items preceded by SHALL are requirements for all commercial product releases.
- SHOULD: Items preceded by SHOULD are recommendations for all commercial product releases. These best practices help to improve the Alexa experience for customers.
This page was last updated on January 30, 2020.
1.1. Your device SHALL use a secure software update distribution that uses cryptographic signing so that only authentic and authorized updates are applied to the device.
1.2. Your device SHALL implement industry standard device-hardening methods. For example, prohibiting default passwords, removing unnecessary network services and software, validating inputs before processing it in services on the device, and applying all security patches to vulnerable open source software.
1.3. Your device SHALL use TLS 1.2 or greater for all communications outside of initial setup. You SHALL have the Amazon Trust Services root CAs installed in the CA bundle. The device SHALL implement certificate validation for all TLS connections and SHALL validate that connections to the Alexa Built-in device are signed using the correct Amazon certificate. Initial setup SHALL never include the transmission of credentials over a non-TLS session.
1.4. Your company SHALL define a software maintenance update strategy that specifies how to create and distribute software updates within a reasonable period of discovery when vulnerabilities are identified.
1.5. Your company SHALL publish contact information in locale-appropriate languages to publicly available websites for security researchers to notify your company of security vulnerabilities in your devices.
1.6. Your company SHALL implement and share with Amazon a security response plan that describes how your company plans to proceed if a security incident arises, when your company expects to communicate with Amazon on an incident, and the estimated timelines for remediation of an incident.
1.7. Your company SHALL provide Amazon with a report from an independent security expert or a certified security specialist who has conducted an in-depth security review of your device.
1.8. Your company SHALL submit reports of known exploitable security vulnerabilities that exist on the device along with a plan to fix the vulnerabilities.
1.9 Devices implementing BR, EDR, or BLE SHALL support Secure Simple Pairing.
1.10 Devices implementing BR or EDR (Bluetooth 4.0 or higher) SHALL support Security Mode 4 Level 4.
1.11 Devices implementing the BLE protocol and services SHALL support Security Mode 1 Level 4.
1.12 Devices implementing the BLE protocol SHALL use the Privacy feature.
1.13 Your company SHALL submit an unencrypted firmware image of the device to Amazon.
1.14 Your device SHALL protect local Amazon software from unauthorized access, such as on-device MITM attacks or display hijacking.
1.15 Your device SHALL implement both a hardware-based microphone on/off control and a dedicated microphone status indicator to protect the privacy of the customer. Certain display-based devices, such as tablets, or hard-to-reach devices, such as smoke alarms and ceiling fans, may be exempted from this requirement. Contact Amazon to obtain exceptions to this requirement in advance.
1.16 Your device SHALL use a chipset that relies on hardware-based security capabilities.
1.17 Your company SHALL confirm that device software components and use of Amazon SDKs does not violate the license terms of the SDKs.
1.18 Your device SHOULD use a fleet management solution, such AWS IoT Device Management, or similar.
For more information about these security requirements, contact firstname.lastname@example.org.