SECURITY REQUIREMENTS FOR AVS DEVICES

The Alexa Developer Services Agreement requires that developers implement all reasonable security measures to
prevent unauthorized access to the Alexa Service.

These requirements are intended to help companies creating AVS devices be proactive in identifying and resolving
potential security vulnerabilities in their devices, and be prepared to distribute fixes for security issues identified after
launch. Please identify whether your company and the device you are submitting meet these requirements prior to
launch. For any questions, please contact [email protected].

Security requirements Supported

(Yes/No)

1. Your device SHALL use a secure software update distribution that uses cryptographic Yes
1 signing so that only authentic and authorized updates are applied to the device

Comments:

1. Your device SHALL implement industry standard device hardening methods. For Yes
2 example, prohibiting default passwords, removing unnecessary network services and
software, validating inputs before processing it in services on the device, and applying all
security patches to vulnerable open source software.

Comments:

1. Your device SHALL use TLS 1.2 or greater for all communications outside of initial setup. Yes
3 You SHALL have the Amazon Trust Services root CAs installed in the CA bundle. The device
SHALL implement certificate validation for all TLS connections and SHALL validate that
connections to the AVS device are signed using the correct Amazon certificate. Initial
setup SHALL never include the transmission of credentials over a non-TLS session.

Comments:

1. Your company SHALL have a software maintenance update strategy in place that Yes
4 specifically defines how software updates will be created and distributed within a
reasonable period of discovery when vulnerabilities are identified.

Comments:

1. Your company SHALL publish information on publicly available websites on how security Yes
5 researchers can notify your company of security vulnerabilities in your devices.

Comments:

1. Your company SHALL implement and share with Amazon a security response plan that No
AMAZON CONFIDENTIAL
 6 describes how your company will proceed if a security incident arises, when your
company will communicate with Amazon on an incident, and the estimated timelines for
remediation of an incident.

Comments:

We currently implementing the security response plan and we will share it with you soon

1. Your company SHALL provide a report from an independent security expert or a certified No
7 security specialist who has conducted an in-depth security review of the device.

Comments:

We have initiated the process with the security firm and we are expecting a report from them soon
1. Your company SHALL submit reports of known exploitable security vulnerabilities that Yes
8 exist on the device along with a plan to fix the vulnerabilities.

Comments:

Company Name: Globaltronics GmbH Device Name: Blaupunkt SHS 100 Beta Firmware Version: SA2232Version1.1.7
Module Name (if applicable): Amazon ID: A16OQYKMSWO9TT
Submitted by: Date: 1-10-2019

AMAZON CONFIDENTIAL