image
Researchers warn Amazon’s voice assistant Alexa is vulnerable to malicious third-party “skills” – voice assistant capabilities developed by third parties – that could leave smart-speaker owners vulnerable to a wide range of cyberattacks. The security-threat claim is roundly dismissed by Amazon. Researchers scrutinized 90,194 unique skills from Amazon’s skill stores across seven countries. The report, presented at the Network and Distributed System Security Symposium 2021 this week, found widespread security issues that could lead to phishing attacks or the ability to trick Alexa users into revealing sensitive information. “While skills expand Alexa’s capabilities and functionalities, it also creates new security and privacy risks,” said a group of researchers from North Carolina State University, the Ruhr-University Bochum and Google, in a research paper (PDF). “We identify several gaps in the current ecosystem that can be exploited by an adversary to launch further attacks, including registration of arbitrary developer name, bypassing of permission APIs, and making backend code changes after approval to trigger dormant intents,” they said. An Amazon spokesperson told Threatpost that the company conducts security reviews as part of skill certification, and has systems in place to continually monitor live skills for potentially malicious behavior. “The security of our devices and services is a top priority,” said the Amazon spokesperson. “Any offending skills we identify…

Source