Log in

Smart devices with Alice

You need to find vulnerabilities in our smart devices.

Scope: Yandex devices controlled via a voice interface.

1

Scope

2

Information for researchers

3

Out of scope

First priority	Yandex Station 3 Yandex Station Mini 3 Pro Smart IP camera Yandex Station Street Yandex Station Duo Max Yandex Station Lite 2 Yandex Station Mini 3 Yandex Station Midi Yandex TV Station Yandex TV Station Basic Yandex TV Station Pro
Second priority (up to 60% of the bounty)	Yandex Station 2 Yandex Station Max Yandex Station Mini 2 (with a screen) Yandex Module with Yandex TV
Third priority (up to 40% of the bounty)	Yandex Station Yandex Station Mini without a screen Yandex Station Lite

The Bug Hunt program doesn’t include Smart Home devices, TVs, and other devices developed in collaboration with other brands. See the full list of exceptions in the Out of scope tab.

*The server infrastructure supporting smart devices falls under the Main scope category .

This program focuses on finding vulnerabilities in Yandex smart devices. We've identified several key areas:

Vulnerabilities in apps and services on the device

Code execution, local files reading, various injections that grant privileged permissions on the device.

Vulnerabilities can be located in apps on the device, voice skills, privileged/non-privileged processes, and more.

Vulnerabilities in the manufacturer’s SoC software and firmware

At the low level of the device, we are interested in attacks that bypass secure boot mechanisms and arbitrary code execution. We pass such vulnerabilities on to our partners, but don't take part in the CVE release.

If you want to look for low-level problems, you should read the ARM Trusted Firmware specification. Most of our devices are based on it.

Bypassing the subscription model

Some of our devices are sold on a subscription model, which assumes regular payments for device use. Without payments, device use is restricted.

For example, the user cannot watch movies on KinoPoisk or communicate with Alice by voice. We are interested in learning about ways to bypass these restrictions.

Obtaining advanced privileges through PCB interfaces

We do not consider complex, expensive, and difficult-to-reproduce attacks on the circuit board, such as Fault Injection. However, we are interested if attacks provide highly privileged access through connections to JTAG, USB, and other physical interfaces of the device.

Disclosure of critical user information

We are interested in vulnerabilities that can lead to the disclosure of critical user information, for example, personally identifiable information. Disclosure must occur without any physical contact with the device.

Yandex does not award bounties for:

Hardware attacks
1. Any attacks on hardware that involve changing the board configuration, removing chips from the printed circuit board, reprogramming it, or using specialized devices and attack methods.
2. Side-channel Fault Injection attacks that are unlikely to be reproduced.
Firmware and software vulnerabilities
1. Absence of firmware protection mechanisms that do not lead to exploitation.
2. Storage of tokens or keys in the file system without any additional vulnerabilities.
3. Vulnerabilities in third-party libraries that do not affect device security.
4. Missing binary protections in the device’s applications.
Network attacks
1. Interception of unencrypted traffic on a local network.
2. Lack of traffic encryption on local networks without proven harm.
3. Open ports with no verifiable attack vector.
Protocols and interfaces
1. Vulnerabilities in Bluetooth, Zigbee, or Matter protocols without remote exploitation.
2. Missing authentication in protocols without proven harm.
3. Bypassing protocol restrictions with no impact on security.
Cloud services
1. Vulnerabilities in cloud APIs that do not affect devices fall under the Yandex infrastructure and services category.
Voice assistants
1. Vulnerabilities in voice skills from third-party developers.
Denial of Service
1. Local DoS attacks that can be resolved by rebooting.
2. Temporary failures of individual device functions.
3. CPU overload without persistence.
4. Network flood attacks with no lasting effects.
Data breaches
1. Disclosure of software versions and hardware components.
2. Leakage of the file system structure without access to data.
3. Disclosure of MAC addresses and serial numbers.
4. Telemetry metadata without personal information.

{ Bounties}

The bounty amount depends on the level of privileges obtained, the type of device, the severity of the issue, and its impact on security. A reduction coefficient is applied to vulnerabilities in second and third priority devices. If the issue you’ve identified can be reproduced and poses a security threat to first priority devices, you’ll receive the full bounty.

The severity level is often determined jointly with developers and may take some time.

Attack category	Vector	Examples of impact	Bounty
Code execution	Remote code execution (0-click RCE)	Code execution without user interaction	17,000 $
	Local privilege upgrade	Upgrading privileges to the kernel/system level	5,500 $
Protected components	Compromised TEE/Secure Element	Extraction of cryptographic keys from a protected element	8,300 $
	Secure Boot bypass	Persistent compromise of the boot chain	8,300 $
Data extraction	Unauthorized access to data	Access to sensitive data without permissions	5,500 $
	Leakage of debug data from logs	Reading debug data from logcat to view the internal state of sessions	550 $
Security mechanism bypass	Security policy bypass	DAC/MAC mechanism bypass	2,800 $
	Application isolation bypass	Full application sandbox bypass	2,800 $
	Factory reset protection bypass	The speaker remains linked to the user after a data reset	5,500 $
Network attacks	Protocol bypass	Device compromise via Bluetooth/Zigbee/Matter with code execution or device control	5,500 $
	Compromise of cloud services	Vulnerabilities in cloud APIs that do not affect devices fall under the Main scope category
	OTA update attacks	Malicious firmware installation	5.500 $
Physical attacks (see reduction coefficients)	Attacks via physical interfaces	Gaining high-privilege access via JTAG/USB/UART	5,500 $

{ Please note}

If exploiting the vulnerability requires additional conditions or if the vulnerability only affects older devices, a reduction coefficient may be applied to your bounty.A reduction coefficient is applied to vulnerabilities in second and third priority devices. If the issue you’ve identified can be reproduced and poses a security threat to first priority devices, you’ll receive the full bounty.

The severity level is often determined jointly with developers and may take some time.

Reduction Coefficients List

A privileged context is required to carry out the attack
Physical access to a powered-off or powered-on device is required
Physical disassembly of the device is required
A local attack requires the bootloader to be unlocked
The attack only works until the device is rebooted
File system modification is required
The attack is probabilistic in nature
The attack requires additional user interaction
Second and third priority devices