Researchers uncover main vulnerabilities in Amazon’s “capabilities” for Alexa

You may want to put a moratorium on the use of Alexa’s “skills” until Amazon can fix some gaping privacy gaps in its third-party access.

According to a study published today by a team of researchers at North Carolina State University, your personal information – including potentially your banking information and contact lists – could be at risk if you’ve installed third-party skills from the Alexa skills marketplace.

First things first: Skills are Alexa’s versions of apps. They’re useful for everything from controlling third-party hardware devices like smart lights or smart thermostats to logging into your bank account using voice commands via Alexa.

The only reason the issues raised by the researchers are not an alarming situation is because we are currently not aware of any evidence that these security risks have been maliciously exploited. That being said, you may want to uninstall any third-party Alexa knowledge until Amazon makes sure the privacy loopholes are closed.

The problem: Simply put, Amazon does not seem to be properly verifying the third-party competency developers. That said, there is no review to make sure that the person or company selling or imparting a skill to you is who they say they are. Apparently the system is set up in such a way that if you are actually being scammed by a seedy copycat you might think you are using a skill from your smart thermostat or smart lock manufacturer.

It gets worse. The researchers also found that developers can use redundant wake-up words. Worst-case scenario, you could be fooled into giving your information to a company you trust for using a calling phrase like “Alexa, open the Blah Blah Blah banking app” when in fact someone is using that phrase for shamefully mimicked purposes.

According to the researchers, Amazon allows third-party skill publishers to change their privacy policies after they get approval and publication. According to a press release from the university:

The researchers showed that developers can modify the code at the backend of skills after the skills are placed in stores. Specifically, the researchers published a skill and changed the code to request additional information from users after the skill was approved by Amazon.

Take quickly: We recommend anyone using an Alexa-enabled device to access your Amazon account and make sure you are not using any third-party capabilities. At least until Amazon addresses the issues raised by the researchers.

Fortunately, it’s very easy.

  • Step one: log into your Amazon account
  • Step Two: Search for “Alexa Skills” and click on the top result

  • Step Three: Click on “Your Skills” and make sure you are not using any third-party skills.

We asked Amazon for a comment and will update this article as soon as we hear something.

You can read the full article here.

Published on March 4, 2021 – 18:45 UTC

Leave your vote

0 points
Upvote Downvote

Related Articles

Log In

Forgot password?

Forgot password?

Enter your account data and we will send you a link to reset your password.

Your password reset link appears to be invalid or expired.

Log in

Privacy Policy

Add to Collection

No Collections

Here you'll find all collections you've created before.