AVS Security Requirements

Commercially distributed devices must meet the following minimum security requirements. The Amazon Developer Services Agreement requires that developers must implement all reasonable security measures to prevent unauthorized access to the Alexa Voice Service (AVS).

Requirements versus recommendations

This document uses following terms to signify requirements and recommendations:

  • SHALL: Items preceded by SHALL are required for all commercial product releases.
  • SHOULD: Items preceded by SHOULD are recommended for all commercial product releases. These best practices help to improve the Alexa customer experience.

Last updated

This page was last updated on January 30, 2020.

Requirements

1.1. Your device SHALL use a secure software update distribution that uses cryptographic signing so that only authentic and authorized updates are applied to the device.

1.2. Your device SHALL implement industry standard device-hardening methods. For example, prohibiting default passwords, removing unnecessary network services and software, validating inputs before processing it in services on the device, and applying all security patches to vulnerable open source software.

1.3. Your device SHALL use TLS 1.2 or greater for all communications outside of initial setup. You SHALL have the Amazon Trust Services root CAs installed in the CA bundle. The device SHALL implement certificate validation for all TLS connections and SHALL validate that connections to the Alexa Built-in device are signed using the correct Amazon certificate. Initial setup SHALL never include the transmission of credentials over a non-TLS session.

1.4. Your company SHALL define a software maintenance update strategy that specifies how to create and distribute software updates within a reasonable period of discovery when vulnerabilities are identified.

1.5. Your company SHALL publish contact information in locale-appropriate languages to publicly available websites for security researchers to notify your company of security vulnerabilities in your devices.

1.6. Your company SHALL implement and share with Amazon a security response plan that describes how your company plans to proceed if a security incident arises, when your company expects to communicate with Amazon on an incident, and the estimated timelines for remediation of an incident.

1.7. Your company SHALL provide Amazon with a report from an independent security expert or a certified security specialist who has conducted an in-depth security review of your device.

1.8. Your company SHALL submit reports of known exploitable security vulnerabilities that exist on the device along with a plan to fix the vulnerabilities.

1.9 Your device using BR, EDR, or BLE SHALL support Secure Simple Pairing.

1.10 Your device using BR or EDR (Bluetooth 4.0 or higher) SHALL support Security Mode 4 Level 4.

1.11 Your device using the BLE protocol and services SHALL support Security Mode 1 Level 4.

1.12 Your device using the BLE protocol SHALL use the Privacy feature.

1.13 Your company SHALL submit an unencrypted firmware image of the device to Amazon.

1.14 Your device SHALL protect local Amazon software from unauthorized access, such as on-device MITM attacks or display hijacking.

1.15 Your device SHALL implement a hardware controlled microphone "MUTE" capability, if there is a dedicated "MUTE" indicator to protect the privacy of the customer. Certain devices based on display (e.g. tablets), Hard-to-reach (e.g. Smoke Alarms, Ceiling Fans) or similar may be exempted from this requirement. Any exception to this requirement should be obtained from Amazon in advance.

1.16 Your device SHALL use a chipset that relies on hardware-based security capabilities.

1.17 Your company SHALL confirm that device software components and use of Amazon SDKs does not violate the license terms of the SDKs.

1.18 Your device SHOULD use a fleet management solution, such AWS IoT Device Management, or similar.

For more information about these security requirements, contact avs-security@amazon.com.