A team of researchers found major vulnerabilities in the secure use of Amazon Alexa-enabled third-party smart devices after acquiring and evaluating 90,194 “Alexa Abilities” developed by external providers in seven countries.
One of the security vulnerabilities they noticed was that third-party vendors might adjust Alexa Skills afterward, placing users’ data at risk.
In addition to these vulnerability threats, the study team found major weaknesses in third-party providers’ general data privacy declarations for Alexa Skills.
“We were also able to show that Expertise can be published under a fake name. Voice instructions are available for smart devices from well-known car firms, for example. Users trust that the organization has given these skills as they download them. However, this isn’t always the case “Martin Degeling of Ruhr-Universitat Bochum (RUB) in Germany explained the situation.
Amazon has confirmed some of the problems to the research team, saying it was is working on countermeasures.
Although Amazon checks all Skills offered in a certification process, this so-called Skill squatting – the adoption of already existing provider names and functions – is often not noticeable.
With the voice commands “Alexa Skills,” users can load numerous extra functions onto their Amazon voice assistant.
- More About Alexa: Amazon Makes It Easy To Find New Devices For Alexa
- More About Alexa: Any Time You Ask Something – Amazon Alexa Records You – Here How to Delete Those Recordings
- More About Alexa: Compatible Alexa Controlled Blinds
However, these Skills can often have security gaps and data protection vendors.
Researchers from RUB’s Horst Gortz Institute for IT Defense and North Carolina State University in the United States researched the Alexa Skills ecosystem for the first time.
These voice commands are developed not only by the tech giant Amazon itself but also by external providers.
Users can download them at a store operated by Amazon directly, and in some cases, they are also activated automatically by Amazon.
The researchers obtained and analyzed 90,194 Skills from the stores in seven country platforms.
“The first concern is that Amazon has only partly activated Expertise since 2017. Previously, users had to commit to each Skill’s use. They no longer have a good vision of where Alexa’s answers come from or who programmed them in the first place “Degeling said.
Unfortunately, it is often unclear which Skill is activated at what time.
“For example, if you ask Alexa for a compliment, you can get a response from 31 different providers, but it’s not immediately clear which one is automatically selected,” the researchers said.
Data that is needed for the technical implementation of the commands can be unintentionally forwarded to external providers, the researchers warned.
“In an experiment, we were able to publish Skills in the name of a large company,” the researchers said.
After a while, attackers could reprogramme their voice command to ask for users’ credit card records, according to Christopher Lentzsch of the RUB Chair of Information and Technology Management.
“Amazon’s monitoring normally detects certain prompts and disallows them; nevertheless, modifying the software afterward may get around this limitation. Many users could be duped by this trick if they trusted the abused provider name and Amazon “he said
Last week, the team gave a virtual presentation at the “Network and Distributed System Security Symposium (NDSS)” meeting.