• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer

My TechDecisions

  • COVID-19 Update
  • Best of Tech Decisions
  • Topics
    • Video
    • Audio
    • Mobility
    • Unified Communications
    • IT Infrastructure
    • Network Security
    • Physical Security
    • Facility
    • Compliance
  • RFP Resources
  • Resources
  • Podcasts
  • Subscribe
  • Project of the Week
  • About Us
    SEARCH
Facility, News

Amazon Alexa Users Should Vet Their Downloaded Skills

Amazon Alexa "skills" users should probably prune-through all of their downloaded skills -- some of them may have vulnerabilities.

March 5, 2021 Adam Forziati Leave a Comment

Intelligent Assistant Regional Accent Alexa

Amazon’s Alexa-enabled smart speakers have found popularity in the consumer market in recent years, and even in select retail and corporate environments.

One of the selling points the company has pushed are the Amazon Alexa skills. But users should probably pay closer attention to those.

As a recent post on The Verge pointed out, many of the over 100,000 skills are “one-note” novelties which are completely forgettable — and they may pose security vulnerabilities.

A large-scale study of vulnerabilities in Alexa skills recently identified concerns in the vetting process Amazon utilizes to confirm each skill.

More details from The Verge:

  • Activating the wrong skill. Since 2017, Alexa will automatically enable skills if users ask the right question (otherwise known as an “invocation phrase”). But researchers found that in the US store alone there were 9,948 skills with duplicate invocation phrases. That means if you ask Alexa for “space facts,” for example, it will automatically enable one of the numerous skills that uses this phrase. How that skill is chosen is a complete mystery, but it could well lead to users activating the wrong or unwanted skills.
  • Publishing skills under false names. When you’re installing a skill you might check the developer’s name to ensure its trustworthiness. But researchers found that Amazon’s vetting process to check developers are who they say they are isn’t very secure. They were able to publish skills under the names of big corporations like Microsoft and Samsung. Attackers could easily publish skills pretending to be from reputable firms.
  • Changing code after publication. The researchers found that publishers can make changes to the backend code used by skills after publication. This doesn’t mean they can change a skill to do just anything, but they could use this loophole to slip dubious actions into skills. So, for example, you could publish a skill for children that would be verified by Amazon’s safety team, before changing the backend code so it asks for sensitive information.
  • Lax privacy policies. Privacy policies are supposed to inform users about how their data is being collected and used, but Amazon doesn’t require skills to have accompanying policies. Researchers found that only 28.5 percent of US skills have valid privacy policies, and this figure is even lower for skills aimed at children — just 13.6 percent.

The Verge recommends users of these devices comb through their unused skills and delete those which are not critical to the user.

Read Next: Amazon Introduces Pro Portal for Integrators

While none of these issues have a direct attack associated with them, it seems AI assistants have a long way to go before being trusted with mission-critical applications, such as those seen in commercial settings.

Tagged With: Artificial Intelligence, Voice Control

Related Content:

  • No More Ransom SMBs Are Grappling with Paying Ransom Demands
  • Tenable Cloud Security with Agentless Assessment and Live Results Tenable Announces Cloud Security Agentless Assessment for Faster…
  • Bluesound Professional B170S Networked Streaming Stereo Amplifier Bluesound Professional Launches B170S Networked Streaming Stereo Amplifier
  • SolarWinds IT pro Day 2022 Nominations Open for SolarWinds’ IT Pro Day 2022…

Free downloadable guide you may like:

  • Hybrid Work webinarFeatured Webcast: Collaboration 2.0 — Where Are We Now?

    In this webinar, subject matter experts discuss the transformation of the workplace, the rise of hybrid workers, the importance of open connectivity and the technology solutions that can drive high levels of productivity.

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Get the FREE Tech Decisions eNewsletter

Sign up Today!

Latest Downloads

Blueprint Series: How to Reduce Shadow IT

The distributed work model gives employees the flexibility they demand, but it can lead to shadow IT and introduce unnecessary security risk. Resea...

Hybrid Work webinar
Featured Webcast: Collaboration 2.0 — Where Are We Now?

In this webinar, subject matter experts discuss the transformation of the workplace, the rise of hybrid workers, the importance of open connectivit...

guide to end user training cover
Pro Tips for Conducting End User Training

Effective trainings are the glue that can make the difference following a new technology implementation that your team has spent so much time, effo...

View All Downloads

Would you like your latest project featured on TechDecisions as Project of the Week?

Apply Today!
Sharp Microsoft Collaboration HQ Logo

Learn More About the
Windows Collaboration Display

More from Our Sister Publications

Get the latest news about AV integrators and Security installers from our sister publications:

Commercial IntegratorSecurity Sales

AV-iQ

Footer

TechDecisions

  • Home
  • Welcome to TechDecisions
  • Subscribe to the Newsletter
  • Contact Us
  • Media Solutions & Advertising
  • Comment Guidelines
  • RSS Feeds
  • Twitter
  • Facebook
  • Linkedin

Free Technology Guides

FREE Downloadable resources from TechDecisions provide timely insight into the issues that IT, A/V, and Security end-users, managers, and decision makers are facing in commercial, corporate, education, institutional, and other vertical markets

View all Guides
TD Project of the Week

Get your latest project featured on TechDecisions Project of the Week. Submit your work once and it will be eligible for all upcoming weeks.

Enter Today!
Emerald Logo
ABOUTCAREERSAUTHORIZED SERVICE PROVIDERSTERMS OF USEPRIVACY POLICY

© 2022 Emerald X, LLC. All rights reserved.