Security News > 2021 > February > ALERT: Malicious Amazon Alexa Skills Can Easily Bypass Vetting Process
Researchers have uncovered gaps in Amazon's skill vetting process for the Alexa voice assistant ecosystem that could allow a malicious actor to publish a deceptive skill under any arbitrary developer name and even make backend code changes after approval to trick users into giving up sensitive information.
Amazon Alexa allows third-party developers to create additional functionality for devices such as Echo smart speakers by configuring "Skills" that run on top of the voice assistant, thereby making it easy for users to initiate a conversation with the skill and complete a specific task.
The practice is so prevalent that the investigation spotted 9,948 skills that share the same invocation name with at least one other skill in the US store alone.
Across all the seven skill stores, only 36,055 skills had a unique invocation name.
Given that the actual criteria Amazon uses to auto-enable a specific skill among several skills with the same invocation names remain unknown, the researchers cautioned it's possible to activate the wrong skill and that an adversary can get away with publishing skills using well-known company names.
"As privacy advocates we feel both 'kid' and 'health' related skills should be held to higher standards with respect to data privacy," the researchers said, while urging Amazon to validate developers and perform recurring backend checks to mitigate such risks.