One of the ways that Amazon sets its Alexa digital assistant apart from the competition is through a massive library of third-party ‘skills.’
Skills enable all kinds of extra functionality on Alexa, from checking the weather to playing music. A recent count puts the number of skills at over 100,000, although The Verge notes that most of those skills are gimmicks and jokes that don’t really add much value. Worse than that, new research suggests these skills could also be a privacy threat.
According to a study performed by researchers at North Carolina State University and Germany’s Ruhr-University Bochum, there are several potential issues with how Amazon manages Alexa skills.
For one, Alexa can automatically enable skills if users ask specific questions called ‘invocation phrases.’ Researchers found 9,948 skills with duplicate invocation phrases in the U.S. skills store alone. Duplicate phrases could lead to Alexa activating the wrong skill since it’s unknown how Alexa decides which skill to enable.
Worse, researchers found that developers could publish skills under the names of well-known tech firms, like Samsung or Microsoft. Someone with malicious intent could potentially publish a fake skill masquerading as one from a reputable developer to trick people into enabling it on their Echo devices.
On top of that, skill developers can change their code after publishing the skill. While there are limits to these changes, it’s possible that a bad actor could use the loophole to add malicious code to a skill.
Time to clean up your skills
An Amazon spokesperson told ZDNet in a statement that security was a “top priority” and that the company conducts security reviews as part of certifying Alexa skills. You can read the full statement below:
“The security of our devices and services is a top priority. We conduct security reviews as part of skill certification and have systems in place to continually monitor live skills for potentially malicious behavior. Any offending skills we identify are blocked during certification or quickly deactivated. We are constantly improving these mechanisms to further protect our customers.”
However, despite Amazon’s claim, the research shows that skill privacy is lax. If you use Alexa, it may be a good time to clean up some of your skills. The Verge shared details on how to make that happen.
Users need to head to ‘alexa.amazon.com‘ and look for the ‘Skills’ option in the sidebar. Click it, then ‘Your skills’ in the top-right corner. From there, disable any skills you aren’t using. Considering Alexa can automatically enable some skills with an invocation phrase, it’s probably smart to keep an eye on your skills and disable any that get added this way unless you need them.