Alexa Skills: Security Vulnerabilities and Countermeasures

Dan Su, Jiqiang Liu, Sencun Zhu, Xiaoyang Wang, Wei Wang

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

The home voice assistants such as Amazon Alexa have become increasingly popular due to many interesting voice-activated services provided through special applications called skills. These skills, though useful, have also introduced new security, safety and privacy challenges. Prior work has verified that Alexa is vulnerable to multiple types of voice attacks, but the security and privacy risk of using skills has not been fully investigated. In this work, we study an adversary model that covers three security vulnerabilities, namely, over-privileged resource access, hidden code-manipulation and hidden content-manipulation. By exploiting these vulnerabilities, malicious skills can not only bypass the security tests in the vetting process, but also surreptitiously change their original functions in an attempt to steal users' personal information, obtain safety-sensitive information, or disseminate arbitrary information. We systematically study the security issues from the feasibility of the attacks, a large-scale survey measurement of 33,744 skills in Alexa Skills Store, to the design of countermeasures.

Original languageEnglish (US)
Title of host publication2022 IEEE Conference on Communications and Network Security, CNS 2022
PublisherInstitute of Electrical and Electronics Engineers Inc.
ISBN (Electronic)9781665462556
DOIs
StatePublished - 2022
Event2022 IEEE Conference on Communications and Network Security, CNS 2022 - Austin, United States
Duration: Oct 3 2022Oct 5 2022

Publication series

Name2022 IEEE Conference on Communications and Network Security, CNS 2022
Volume2021-January

Conference

Conference2022 IEEE Conference on Communications and Network Security, CNS 2022
Country/TerritoryUnited States
CityAustin
Period10/3/2210/5/22

All Science Journal Classification (ASJC) codes

  • Information Systems and Management
  • Safety, Risk, Reliability and Quality
  • Computer Networks and Communications
  • Information Systems

Cite this