(Press-News.org) A recent study outlines a range of privacy concerns related to the programs that users interact with when using Amazon's voice-activated assistant, Alexa. Issues range from misleading privacy policies to the ability of third-parties to change the code of their programs after receiving Amazon approval.
"When people use Alexa to play games or seek information, they often think they're interacting only with Amazon," says Anupam Das, co-author of the paper and an assistant professor of computer science at North Carolina State University. "But a lot of the applications they are interacting with were created by third parties, and we've identified several flaws in the current vetting process that could allow those third parties to gain access to users' personal or private information."
At issue are the programs that run on Alexa, allowing users to do everything from listen to music to order groceries. These programs, which are roughly equivalent to the apps on a smartphone, are called skills. Amazon has sold more than 100 million Alexa devices (and possibly twice that many), and there are more than 100,000 skills for users to choose from. Because the majority of these skills are created by third-party developers, and Alexa is used in homes, researchers wanted to learn more about potential security and privacy concerns.
With that goal in mind, the researchers used an automated program to collect 90,194 unique skills found in seven different skill stores. The research team also developed an automated review process that provided a detailed analysis of each skill.
One problem the researchers noted was that the skill stores display the developer responsible for publishing the skill. This is a problem because Amazon does not verify that the name is correct. In other words, a developer can claim to be anyone. This would make it easy for an attacker to register under the name of a more trustworthy organization. That, in turn, could fool users into thinking the skill was published by the trustworthy organization, facilitating phishing attacks.
The researchers also found that Amazon allows multiple skills to use the same invocation phrase.
"This is problematic because, if you think you are activating one skill, but are actually activating another, this creates the risk that you will share information with a developer that you did not intend to share information with," Das says. "For example, some skills require linking to a third-party account, such as an email, banking, or social media account. This could pose a significant privacy or security risk to users."
In addition, the researchers demonstrated that developers can change the code on the back end of skills after the skill has been placed in stores. Specifically, the researchers published a skill and then modified the code to request additional information from users after the skill was approved by Amazon.
"We were not engaged in malicious behavior, but our demonstration shows that there aren't enough controls in place to prevent this vulnerability from being abused," Das says.
Amazon does have some privacy protections in place, including explicit requirements related to eight types of personal data - including location data, full names and phone numbers. One of those requirements is that any skills requesting this data must have a publicly available privacy policy in place explaining why the skill wants that data and how the skill will use the data.
But the researchers found that 23.3% of 1,146 skills that requested access to privacy-sensitive data either didn't have privacy policies or their privacy policies were misleading or incomplete. For example, some requested private information even thought their privacy policies stated they were not requesting private information.
The researchers also outline a host of recommendations for how to make Alexa more secure and empower users to make more informed decisions about their privacy. For example, the researchers encourage Amazon to validate the identity of skill developers and to use visual or audio cues to let users know when they are using skills that were not developed by Amazon itself.
"This release isn't long enough to talk about all of the problems or all of the recommendations we outline in the paper," Das says. "There is a lot of room for future work in this field. For example, we're interested in what users' expectations are in terms of system security and privacy when they interact with Alexa."
INFORMATION:
The paper, "Hey Alexa, is this Skill Safe?: Taking a Closer Look at the Alexa Skill Ecosystem," was presented at the Network and Distributed Systems Security Symposium 2021, which was held Feb. 21-24. First author of the paper is Christopher Lentzsch of Ruhr-Universität Bochum. The paper was co-authored by Sheel Jayesh Shah, a graduate student at NC State; William Enck, an associate professor at NC State; Martin Degeling at Ruhr-Universität Bochum; and Benjamin Andow of Google Inc.
The work was done with support from the National Science Foundation under grant 1849997, and from the German state of North Rhine-Westphalia.
Cervical cancer is a serious global health threat which kills more than 300,000 women every year. It's a disease that disproportionately affects women in low- and middle-income countries in equatorial Africa, Latin America and Southeast Asia, yet it is a preventable disease and decades of research have produced the tools needed to eliminate it.
Recognizing this urgent public health issue, the editorial team of Preventive Medicine, led by Editor-in-Chief Dr. Eduardo Franco, Director, Division of Cancer Epidemiology and Chair, Gerald Bronfman Department ...
Researchers in Japan have developed the first wearable devices to precisely monitor jaundice, a yellowing of the skin caused by elevated bilirubin levels in the blood that can cause severe medical conditions in newborns. Jaundice can be treated easily by irradiating the infant with blue light that breaks bilirubin down to be excreted through urine. The treatment itself, however, can disrupt bonding time, cause dehydration and increase the risks of allergic diseases. Neonatal jaundice is one of the leading causes of death and brain damage in infants in low- and middle-income countries.
To address the tricky balance ...
On Earth, plate tectonics is not only responsible for the rise of mountains and earthquakes. It is also an essential part of the cycle that brings material from the planet's interior to the surface and the atmosphere, and then transports it back beneath the Earth's crust. Tectonics thus has a vital influence on the conditions that ultimately make Earth habitable.
Until now, researchers have found no evidence of global tectonic activity on planets outside our solar system. A team of researchers led by Tobias Meier from the Center for Space and Habitability (CSH) at the University of Bern and with the participation of ETH Zurich, the University of Oxford and the National Center of Competence in Research NCCR PlanetS has now found evidence of the flow patterns inside ...
Female gannets travel further than male gannets to find fish for their chicks in some years but not others, new research shows.
Scientists tracked breeding gannets from Grassholm Island in Wales over 11 years with tiny GPS devices and by measuring isotopic signatures in their blood.
Male gannets flew an average of 220km to forage for their chicks, while females averaged 260km. Some birds travelled 1,000km on a single trip.
The scientists also found that the two sexes selected different habitats and foraged at different times of day, but some years ...
COLUMBUS, Ohio - Putting a price on producing carbon is the cheapest, most efficient policy change legislators can make to reduce emissions that cause climate change, new research suggests.
The case study, published recently in the journal Current Sustainable/Renewable Energy Reports, analyzed the costs and effects that a variety of policy changes would have on reducing carbon dioxide emissions from electricity generation in Texas and found that adding a price, based on the cost of climate change, to carbon was the most effective.
"If the goal is reducing carbon dioxide in the atmosphere, what we found is that putting a price on carbon and then letting suppliers and consumers make their ...
In order to show the clinical relevance of a difference between two treatment alternatives, in recent years, the manufacturer dossiers submitted in early benefit assessments of new drugs have increasingly contained responder analyses for patient-relevant outcomes. In such analyses, it is investigated whether the proportion of patients experiencing a noticeable change in the respective outcome differs between the two treatment groups in a study. This involves information on health-related quality of life or on individual symptoms such as pain or itching, which patients recorded with the help of scales in questionnaires.
But what difference makes a change relevant for the individual? That is, at what threshold can a response to an intervention be derived for ...
A deep sequencing study of 747 SARS-CoV-2 virus isolates has revealed mutant peptides derived from the virus that cannot effectively bind to critical proteins on the surface of infected cells and, in turn, hamper activation of CD8+ killer T cells that recognize and destroy these infected cells. These peptides, the authors say, represent one way the coronavirus subverts killer T cell responses and stymies immunity in the host. Their results may be of particular importance for SARS-CoV-2 subunit vaccines, such as the RNA vaccines currently in use, which induce responses against a limited number of viral ...
There are no therapeutics available that have been developed for COVID-19 treatment. Repurposing of already available medication for COVID-19 therapy is an attractive option to shorten the road to treatment development. The drug Camostat could be suitable. Camostat exerts antiviral activity by blocking the protease TMPRSS2, which is used by SARS-CoV-2 for entry into cells. However, it was previously unknown whether SARS-CoV-2 can use TMPRSS2-related proteases for cell entry and whether these proteases can be blocked by Camostat. Moreover, it was unclear whether metabolization of Camostat interferes with antiviral activity. An international team of researchers around Markus Hoffmann and Stefan Pöhlmann ...
Solving a Genetic Mystery at the Heart of the COVID-19 Pandemic
As the COVID-19 pandemic enters its second year, scientists are still working to understand how the new strain of coronavirus evolved, and how it became so much more dangerous than other coronaviruses, which humans have been living alongside for millennia.
Virologists and epidemiologists worldwide have speculated for months that a protein called ORF8 likely holds the answer, and a recent study by Berkeley Lab scientists has helped confirm this hypothesis.
In a paper published in mBio, lead author Russell Neches and his colleagues ...
By embedding a silver catalyst inside a porous crystal, KAUST researchers have improved a chemical reaction that converts carbon dioxide (CO2) into carbon monoxide (CO), which is a useful feedstock for the chemical industry.
Carbon monoxide is a building block for producing hydrocarbon fuels, and many researchers are searching for ways to produce it from CO2, a greenhouse gas emitted by burning fossil fuels. One strategy involves using electricity and a catalyst to drive a so-called CO2 reduction reaction. But this reaction typically produces a variety of other products, including methane, methanol and ethylene. Separating these products significantly raises the cost of the process, ...
