Researchers discover serious security flaws in Alexa device skills
Recent research calls into question the security of certain third-party skills for Alexa, and we tell you where the risk comes from.
Thanks to Alexa skills we can provide different extra functionalities to our compatible devices such as the Amazon Echo, but according to a recent study it may not be a good idea for you to use Alexa skills from third parties.
And it is that in a study published by a team of researchers from the North Carolina State University, claim that potentially our personal data, or even our banking information or contact lists, could be at risk if we have installed third-party Alexa skills.
Before you worry, the team clarifies that at the moment it is unknown if someone has been able to exploit the vulnerability they have found, although perhaps you should check what third-party skills you have installed in Alexa right now.
Basically what the team of researchers comments is that Amazon does not seem to examine third-party skill developers from Alexa, and that means that there is no verification to guarantee that these skills come from legal companies or from people looking to get hold of some kind user information.
They claim that in these third-party skills, developers could make use of redundant trigger words, even trick the user into thinking that they are giving their information to the company they trust, when it really is not. According to the research, Amazon would allow third-party skill editors to change their privacy policies after obtaining approval of the skill and its publication, being able to change the rules of the game at any time.
It is convenient that you log in to your Amazon account, and then look for Alexa skills to see what you currently have installed. If you see any suspicious, that you do not recognize or even come from a third-party company, you can disable them.
After leaving the information from the middle TNW, an Amazon spokesperson has issued a statement commenting that “the security of our devices and services is a top priority. We conduct security reviews as part of skill certification and have systems in place to continuously monitor skills live to detect potentially malicious behavior”.
To which they add that “Any offensive skills we identify are blocked during certification or quickly disabled. We are constantly improving these mechanisms to further protect our customers. We appreciate the work of independent researchers who help draw our attention to potential issues”.