TY - GEN
T1 - Alexa Skills
T2 - 2022 IEEE Conference on Communications and Network Security, CNS 2022
AU - Su, Dan
AU - Liu, Jiqiang
AU - Zhu, Sencun
AU - Wang, Xiaoyang
AU - Wang, Wei
N1 - Publisher Copyright:
© 2022 IEEE.
PY - 2022
Y1 - 2022
N2 - The home voice assistants such as Amazon Alexa have become increasingly popular due to many interesting voice-activated services provided through special applications called skills. These skills, though useful, have also introduced new security, safety and privacy challenges. Prior work has verified that Alexa is vulnerable to multiple types of voice attacks, but the security and privacy risk of using skills has not been fully investigated. In this work, we study an adversary model that covers three security vulnerabilities, namely, over-privileged resource access, hidden code-manipulation and hidden content-manipulation. By exploiting these vulnerabilities, malicious skills can not only bypass the security tests in the vetting process, but also surreptitiously change their original functions in an attempt to steal users' personal information, obtain safety-sensitive information, or disseminate arbitrary information. We systematically study the security issues from the feasibility of the attacks, a large-scale survey measurement of 33,744 skills in Alexa Skills Store, to the design of countermeasures.
AB - The home voice assistants such as Amazon Alexa have become increasingly popular due to many interesting voice-activated services provided through special applications called skills. These skills, though useful, have also introduced new security, safety and privacy challenges. Prior work has verified that Alexa is vulnerable to multiple types of voice attacks, but the security and privacy risk of using skills has not been fully investigated. In this work, we study an adversary model that covers three security vulnerabilities, namely, over-privileged resource access, hidden code-manipulation and hidden content-manipulation. By exploiting these vulnerabilities, malicious skills can not only bypass the security tests in the vetting process, but also surreptitiously change their original functions in an attempt to steal users' personal information, obtain safety-sensitive information, or disseminate arbitrary information. We systematically study the security issues from the feasibility of the attacks, a large-scale survey measurement of 33,744 skills in Alexa Skills Store, to the design of countermeasures.
UR - http://www.scopus.com/inward/record.url?scp=85150728074&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85150728074&partnerID=8YFLogxK
U2 - 10.1109/CNS56114.2022.10066153
DO - 10.1109/CNS56114.2022.10066153
M3 - Conference contribution
AN - SCOPUS:85150728074
T3 - 2022 IEEE Conference on Communications and Network Security, CNS 2022
BT - 2022 IEEE Conference on Communications and Network Security, CNS 2022
PB - Institute of Electrical and Electronics Engineers Inc.
Y2 - 3 October 2022 through 5 October 2022
ER -