Why would you ever trust Amazon's Alexa after this? - ZDNet

Researchers examined the realities of using Alexa's tens of thousands of so-called Skills.

Only a fraction even have a privacy policy.

| Topic: Amazon.

An Amazon Alexa-powered cuckoo clock, that is.

Why, Alexa can even buy you your mummy, should you want.

New research from concerned academics at Germany's Ruhr-University Bochum, together with equally concerned colleagues from North Carolina State -- and even a researcher who, during the project, joined Google -- may just make Alexa owners wonder about the true meaning of an easy life.

The researchers looked at 90,194 Alexa skills.

How much would you like to shudder, oh happy Alexa owner?

Martin Degeling: "A first problem is that Amazon has partially activated skills automatically since 2017.

Now they hardly have an overview of where the answer Alexa gives them comes from and who programmed it in the first place.".

So the first problem is that you have no idea where your clever answer comes from whenever you rouse Alexa from her slumber.

Ready for another quote from the researchers.

We found that developers can register themselves with any company name when creating their developer's account with Amazon.

Please, this is the sort of thing that makes us laugh when big companies get hacked -- and don't tell us for months, or even years.

These researchers actually tested the process for themselves.

"In an experiment, we were able to publish skills in the name of a large company.

Yes, Amazon has a certification process for these skills.

But "no restriction is imposed on changing the backend code, which can change anytime after the certification process.".

Which Amazon Echo to buy.

How to pick the best Alexa device for your needs.

Then, say the researchers, there are the skills developers who publish under a false identity?

Surely all these skills have privacy policies that govern what they can and can't do.

From the research: "Only 24.2% of skills have a privacy policy." So three-quarters of the skills, well, don't.

Don't worry, though, there's worse: "For certain categories like 'kids' and 'health and fitness' only 13.6% and 42.2% skills have a privacy policy, respectively?

As privacy advocates, we feel both 'kids' and 'health' related skills should be held to higher standards with respect to data privacy.".

Naturally, I asked Amazon what it thought of these slightly chilly findings.

An Amazon spokesperson told me: "The security of our devices and services is a top priority?

We conduct security reviews as part of skill certification and have systems in place to continually monitor live skills for potentially malicious behavior.

Any offending skills we identify are blocked during certification or quickly deactivated.

I fancy getting customers to be amused by as many Alexa skills as possible so that Amazon can collect as much data as possible, might be a higher priority.

Still, the spokesperson added: "We appreciate the work of independent researchers who help bring potential issues to our attention.".

But how do you expect us to monitor all these little skills.

Of course, Amazon believes its monitoring systems work well in identifying true miscreants.

I also understand that the company believes kid skills often don't come attached to a privacy policy because they don't collect personal information.

Ultimately, like so many tech companies, Amazon would prefer you to monitor -- and change -- your own permissions, as that would be very cost-effective for Amazon.

But who really has those monitoring skills.

This research, presented last Thursday at the Network and Distributed System Security Symposium, makes for such candidly brutal reading that at least one or two Alexa users might consider what they've been doing.

After all, this isn't even the first time that researchers have exposed the vulnerabilities of Alexa skillsa

Last year, academics tried to upload 234 policy-breaking Alexa skills.

Tell me how many got approved, Alexa.

The latest skills researchers themselves contacted Amazon to offer some sort of "Hey, look at this.".

They say: "Amazon has confirmed some of the problems to the research team and says it is working on countermeasures."a

I wonder what skills Amazon is using to achieve thata

| Topic: Amazon.

An asteroid is approaching, so I invited one of Earth's defenders to dinner

By registering, you agree to the Terms of Use and acknowledge the data practices outlined in the Privacy Policy

You also agree to the Terms of Use and acknowledge the data collection and usage practices outlined in our Privacy Policy

Cloud, data amongst APAC digital skills most needed

Amazon wants to know how annoyed it can make you

Amazon sues New York AG to pre-empt regulatory action

Privacy Policy |