Log in
Log in
Log in
Smart devices with Alice
Try to find vulnerabilities in our smart devices and subscription mechanisms.
Testing scope: Voice-controlled devices — Yandex Station and Yandex Module.
1
Scope
2
Information for researchers
3
Out of scope
Devices of the 1st category
Recently issued devices with modern security mechanisms that we want to test:
Devices of the 2nd category
Previous generation devices that we update and support:
- Yandex Station 2
- Yandex Station Max
- Yandex Station Mini 2 (LED Display)
- Yandex TV Module
Devices of the 3rd category
Category includes devices from previous generations. Currently, the development team is updating and supporting these devices for users, but rewards for them will be the lowest:
- Yandex Station
- Yandex Station Mini without screen
- Yandex Station Lite
Devices which out of scope
The bug bounty program doesn't include Smart Home devices, TVs, and other devices developed in conjunction with other brands.
*The infrastructure around smart devices is part of the
main scope.
This program focuses on finding vulnerabilities in Yandex smart devices.
We've identified several key areas:
Vulnerabilities in apps and services on the device
Code execution, local files reading, various injections that grant privileged permissions on the device.
Vulnerabilities can be located in apps on the device, voice skills, privileged/non-privileged processes, and more.
Vulnerabilities in the manufacturer’s SoC software and firmware
At the low level of the device, we are interested in attacks that bypass secure boot mechanisms and arbitrary code execution.
We pass such vulnerabilities on to our partners, but don't take part in the CVE release.
If you want to look for low-level problems, you should read the ARM Trusted Firmware specification. Most of our devices are based on it.
Bypassing the subscription model
Some of our devices are sold on a subscription model, which assumes regular payments for device use. Without payments, device use is restricted.
For example, the user cannot watch movies on KinoPoisk or communicate with Alice by voice. We are interested in learning about ways to bypass these restrictions.
Obtaining advanced privileges through PCB interfaces
We do not consider complex, expensive, and difficult-to-reproduce attacks on the circuit board, such as Fault Injection. However, we are interested if attacks provide highly privileged access through connections to JTAG, USB, and other physical interfaces of the device.
Disclosure of critical user information
We are interested in vulnerabilities that can lead to the disclosure of critical user information, for example, personally identifiable information. Disclosure must occur without any physical contact with the device.
Yandex doesn't reward:
- Any attacks on hardware that involve changing the board configuration, removing chips from the printed circuit board, reprogramming it, or using expensive specific devices and attacks. We are interested in attacks that provide highly privileged access through connections to JTAG, USB, and other physical interfaces of the device.
- Side-channel attacks that are unlikely to be reproduced.
- «Best practices» for smart device security without a proven impact on security.
- Using an unencrypted file system or not encrypting specific files.
- Missing obfuscation and binary protection (anti-debugging).
- Disclosure of Access keys that have restrictions or are hardcoded in the.apk/other files and don’t give access to personal data.
- Vulnerabilities in third-party apps with no proven impact on the security of the Yandex device or apps.
- The fact of storing user data or authentication tokens in the file system.
- Vulnerabilities in apps on the device that don’t have a significant impact on security.
- Local DoS attacks. The scope of the program includes remote DoS, DoS in the near field of the device, and DoS attacks that can’t be eliminated by rebooting.
- Disclosure of non-critical information about the user, device, or internal company information.
- Voice skills that aren’t developed by Yandex.
- Bypassing parental control by changing the voice.
- Vulnerabilities in devices that aren’t supported.
{ Rewards}
The size of the reward depends on the level of privileges received, the type of device, the criticality of the issue, and its impact on security. It can be assigned according to the ranges in the table below.
The level of criticality is often determined with the developers, which may take some time.
For vulnerabilities in second-priority devices, a price reducer is applied to the payout. If your vulnerability is reproducible and carries security risks for first-priority devices, you will receive the full reward.
Vulnerability Severity Levels | Critical | High | Medium | Low |
|---|---|---|---|---|
Reward amount | up to $11 111 | up to $5555 | up to $2777 | up to $555 |
Thu Dec 19 2024 15:59:23 GMT+0300 (Moscow Standard Time)