Amazon Alexa skills pose potential security threat according to study

Researchers found that developers could publish skills under false names, change code after publication and more

One of the ways that Amazon sets its Alexa digital assistant apart from the competition is through a massive library of third-party ‘skills.’

Skills enable all kinds of extra functionality on Alexa, from checking the weather to playing music. A recent count puts the number of skills at over 100,000, although The Verge notes that most of those skills are gimmicks and jokes that don’t really add much value. Worse than that, new research suggests these skills could also be a privacy threat.

According to a study performed by researchers at North Carolina State University and Germany’s Ruhr-University Bochum, there are several potential issues with how Amazon manages Alexa skills.

For one, Alexa can automatically enable skills if users ask specific questions called ‘invocation phrases.’ Researchers found 9,948 skills with duplicate invocation phrases in the U.S. skills store alone. Duplicate phrases could lead to Alexa activating the wrong skill since it’s unknown how Alexa decides which skill to enable.

Worse, researchers found that developers could publish skills under the names of well-known tech firms, like Samsung or Microsoft. Someone with malicious intent could potentially publish a fake skill masquerading as one from a reputable developer to trick people into enabling it on their Echo devices.

On top of that, skill developers can change their code after publishing the skill. While there are limits to these changes, it’s possible that a bad actor could use the loophole to add malicious code to a skill.

Finally, researchers found that Amazon had loose privacy policies around skills. The e-commerce giant had requirements related to certain types of personal data, like location information. One requirement was that any skill requesting access to some of the personal data must have a publicly available privacy policy. Researchers found that of 1,146 skills they checked that requested access to that data, 23.3 percent either didn’t have a privacy policy at all, or had one that was incomplete or misleading. Some even requested the data despite offering a privacy policy that explicitly said they didn’t access private information.

Time to clean up your skills

An Amazon spokesperson told ZDNet in a statement that security was a “top priority” and that the company conducts security reviews as part of certifying Alexa skills. You can read the full statement below:

“The security of our devices and services is a top priority. We conduct security reviews as part of skill certification and have systems in place to continually monitor live skills for potentially malicious behavior. Any offending skills we identify are blocked during certification or quickly deactivated. We are constantly improving these mechanisms to further protect our customers.”

However, despite Amazon’s claim, the research shows that skill privacy is lax. If you use Alexa, it may be a good time to clean up some of your skills. The Verge shared details on how to make that happen.

Users need to head to ‘alexa.amazon.com‘ and look for the ‘Skills’ option in the sidebar. Click it, then ‘Your skills’ in the top-right corner. From there, disable any skills you aren’t using. Considering Alexa can automatically enable some skills with an invocation phrase, it’s probably smart to keep an eye on your skills and disable any that get added this way unless you need them.

Source: NC State / Ruhr-University Bochum Via: The Verge, ZDNet