Researchers discover huge security holes in Amazon’s ‘skills’ for Alexa


You might want to put a moratorium on the use of Alexa’s “ skills ” until Amazon can sort out some gaping privacy loopholes in its third-party access.

According to a study released today by a team of researchers at North Carolina State University, your personal data – including, potentially, your banking information and contact lists – could be at risk if you installed third-party skills from Alexa skills. market.

First of all: Skills are versions of Alexa apps. They’re useful for everything from controlling third-party hardware gadgets like smart lights or smart thermostats to logging into your bank account using voice control through Alexa.

The only reason the issues raised by the researchers do not constitute a red alert situation is that we are currently not aware of any evidence that these security risks have been exploited maliciously. That being said, you may want to uninstall all of your third-party Alexa skills until Amazon issues assurances that the privacy holes have been filled.

The problem: Simply put, Amazon doesn’t seem to be properly controlling third-party skill developers. This means that no checks are in place to ensure that the person or company who sells or gives you a skill is who they say they are. Apparently the system is set up in such a way that you might think you’re using a skill from your smart thermostat or the smart lock maker when in fact you’re being duped by a shady impersonator.

It’s getting worse. The researchers also found that developers can use redundant wake-up words. In the worst case scenario here, you could be fooled into thinking that you are giving your information to a company you trust because you used a summon phrase like “Alexa, open the Blah Blah Blah Banking app” then that in fact, someone has aped this sentence for nefarious purposes.

Finally, in what could be the most egregious security, according to the researchers, Amazon allows third-party skill editors to change their privacy policies after getting approval and publication. By university press release:

Researchers have shown that developers can modify the code in the back-end of skills after the skill has been placed in stores. Specifically, the researchers published a skill and then modified the code to request additional information from users after the skill was approved by Amazon.

Quick setting: Our advice to anyone who uses an Alexa-enabled device is to access your Amazon account and make sure you’re not using any third-party skills. At least until Amazon addresses the issues the researchers raised.

Fortunately, it’s really easy to do this.

  • Step one: sign in to your Amazon account
  • Step two: search for “Alexa Skills” and click on the top result

  • Step three: click on “Your skills” and make sure you are not using any third-party skills.

We have reached out to Amazon for feedback and will update this article as soon as we have a response.

You can read the full article here.

Published March 4, 2021 – 18:45 UTC


Leave a Reply

Your email address will not be published. Required fields are marked *