Security News > 2021 > February > Alexa, swap out this code that Amazon approved for malware... Installed Skills can double-cross their users

Alexa, swap out this code that Amazon approved for malware... Installed Skills can double-cross their users
2021-02-25 07:04

In research presented on Wednesday at the Network and Distributed System Security Symposium conference, researchers describe flaws in the process Amazon uses to review third-party Alexa applications known as Skills.

"We show that not only can a malicious user publish a Skill under any arbitrary developer/company name, but she can also make backend code changes after approval to coax users into revealing unwanted information," the academics explain in their paper, titled "Hey Alexa, is this Skill Safe?: Taking a Closer Look at the Alexa Skill Ecosystem." [PDF].

The boffins identified 358 Skills capable of requesting information that should be protected by a permission API. They also found that Skill squatting - e.g. Skills that try to get people to invoke them inadvertently by implementing invocation and intent names that sound similar to the invocation and intent names of legitimate Skills - is common.

Rather, it appears mainly to be a way for developers to piggyback on the popularity of their own existing Skills - having two Skills activated by nearly identical phrases increase the likelihood some of their software will run.

Finally, the researchers found that almost a quarter of Alexa Skills don't fully disclose the data they collect.

Rather it provides an overview of various attack vectors related to voice capturing, voice traffic transmission, Alexa voice recognition, Alexa skill invocation, Lambda functions and Amazon S3 buckets.


News URL

https://go.theregister.com/feed/www.theregister.com/2021/02/25/alexa_amazon_skills/

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Amazon 64 9 60 39 13 121