Alexa Skills: Security gaps and data protection problems

2021-03-02 05:00

These Skills can often have security gaps and data protection problems, as a team of researchers from the Horst Görtz Institute for IT Security at Ruhr-Universität Bochum and North Carolina State University discovered, together with a former PhD student who started to work for Google during the project.

In their study, the researchers around Christopher Lentzsch and Dr. Martin Degeling studied first-time the ecosystem of Alexa Skills.

"A first problem is that Amazon has partially activated Skills automatically since 2017. Previously, users had to agree to the use of each Skill. Now they hardly have an overview of where the answer Alexa gives them comes from and who programmed it in the first place," explains Dr. Martin Degeling from the RUB Chair of System Security.

Although Amazon checks all Skills offered in a certification process, this so-called Skill squatting, i.e., the adoption of already existing provider names and functions, is often not noticeable.

The researchers also identified another security risk: "Our study also showed that the Skills could be changed by the providers afterward," explains Lentzsch.

In addition to these security risks, the research team also identified significant lacks in the general data protection declarations for the Skills.

News URL

http://feedproxy.google.com/~r/HelpNetSecurity/~3/wnu_0P2c1is/

#alexa #security