back to article Alexa, swap out this code that Amazon approved for malware... Installed Skills can double-cross their users

Computer security bods based in Germany and the US have analyzed the security measures protecting Amazon's Alexa voice assistant ecosystem and found them wanting. In research presented on Wednesday at the Network and Distributed System Security Symposium (NDSS) conference, researchers describe flaws in the process Amazon uses …

  1. Sceptic Tank Bronze badge
    WTF?

    I don't want your help

    Don't know if this is important, but my new Android mobile phone has this button on the side that brings up a "How can I help" assistant. The button is perfectly placed so that it unwittingly gets pressed every time one handles the phone. One day, in a rage, I managed to switch on a blighter that was reading the news while some female robot voice wanted to know how it could help me. Not being used to UI's that have been thoroughly millnialized, I could not figure out how to exit the news. Then this robot starts asking me "How can I help?", to which I requested the Google go away. But I may have been using some words and a tone of voice that would clearly indicate that I did not wish to be helped by Google's robot (i.e. F-OFF GOOGLE!!!!!). My rage doubled when this thing actually said: "I'm sorry if I upset you".

    1. Chris G Silver badge

      Re: I don't want your help

      I have Google Assistant snd the mic disabled on my phone, the icon for the mic however, is always functional and placed where it can be inadvertently touched so I constantly have a pop up asking to allow or deny the mic for Google.

      I have found that shouting at the phone doesn't help at all but it hasn't stopped me.

  2. Hubert Cumberdale Silver badge

    There are so many reasons I won't let one of these in my house.

    (Obligatory).

    1. BillG
      Megaphone

      Re: There are so many reasons I won't let one of these in my house.

      Finally, the researchers found that almost a quarter (24.2 per cent) of Alexa Skills don't fully disclose the data they collect.

      They collect EVERYTHING!

      Only suckers believe privacy statements.

  3. oiseau Silver badge
    WTF?

    No such thing

    ... analyzed the security measures protecting Amazon's Alexa voice assistant ecosystem and found them wanting.

    Security measures?

    Protecting?

    Amazon's Alexa?

    It's been quite obvious from the very first time this crap came out on the market:

    There - is - no - such - thing.

    If you are stupid enough to buy one, you deserve what you get.

    O.

  4. BenM 29
    Megaphone

    Talk to a computer? why would I do that?

    I really really don't get the obsession with talk controlled everything. Even my car does it! (though to be fair it makes a better fist of voice recognition than Google does). Gettting the technological marvells to recognise what I want is invariably slower than fishing my phone out of my pocket, opening a browser and typing on a tiny keyboard.... or even just pressing the buttons on the steering wheel to acheive exactly the same thing (OK sending a txt is more tricky at the wheel, so obviously park up first or just switch the flipping phone to DnD when on the road)

    <rant>

    Then, of course, you run into issues where there are two voice recognisers on one device (I am looking at you, LG 'Smart' TVs...) where the Google version can't turn off the TV, yet the LG version, supposedly powered by Google, can.... and how do you get the LG one to work? you have to disable the Google integration, which, apparently breaks the LG Voice Recognition (it doesn't, but it claims that it does!) for the TV.

    The things you have to say to get it to do anything useful are a) difficult to remember and b) not natural speech. Far simpler and quicker to find the remote and press the button, or fire up the LG remote software on the phone and do whatever that way.

    </rant>

    It's ok Matron, I have taken my medicne...

    1. Jimmy2Cows Silver badge

      Re: Talk to a computer? why would I do that?

      It can be useful in hands-free situations when you really need to be concentrating on something else. As in your car analogy. But that's only really viable if you don't have to think hard about how and when to issue the voice command.

      If it's not natural language, without special pronunciation, it becomes a distraction in its own right.

      If there's a delay between pushing the button and being able to issue the voice command, that's another distraction. Not desireable while driving.

      At the moment it still seems too gimmicky, too clunky to be useful. Most times it's often easier and quicker to grab the remote / pick up the phone / flick the lightswitch.

      Case in point: step lad had hooked up Alexa to a "smart" lightbulb. Enters his bedroom annoucing "Hey Alexa! Turn on the lights.", whilst passing the lightswitch right by the door. Ridiculously pointless.

    2. Tom 38 Silver badge

      Re: Talk to a computer? why would I do that?

      I talk to my amazon firetv remote to search for specific things on TV. It isn't auto-listening, it only operates when a specific button on the remote is pressed.

      Its a balance between ease of use and functionality, its easier to do that than to use an on screen keyboard.

    3. doublelayer Silver badge

      Re: Talk to a computer? why would I do that?

      It can be a little handy depending on how its done. For example, I use the voice interface on my phone on occasion, almost always to do one of three things. Those are faster to do by voice than by touch. Compare these:

      Set a timer:

      By voice: Press button, hear tone, say "Set a timer for 25 minutes", done.

      By touch: Retrieve phone, type unlock pin, find the clock app, select the timer page, spin the little dial to select 25 minutes, press start, lock phone, done.

      Call a contact:

      By voice: Press button, hear tone, say "Call name", hold phone to ear.

      By touch: Retrieve phone, type unlock pin, find the phone app, press the contacts button, scroll to find the person, press the call button, put phone to ear.

      A lot of other things though don't get the speed advantage, and are only useful when you can't use the touch or visual interfaces. A well-done car voice interface would be useful, but I've not seen one. The best cars at least let you use the, usually much better, phone voice interfaces rather than make you use theirs.

    4. Duffy Moon

      Re: Talk to a computer? why would I do that?

      I understand the hostility against them, but Echo devices and the like, are very useful for those with disabilities which make typing difficult.

  5. AnAnonymousCanuck

    How to Get Privacy

    Run YOUR voice assistant on YOUR machine, not someone-elses.

    https://kalliope-project.github.io/

    AAC

  6. Pascal Monett Silver badge

    "Any offending skills we identify"

    The problem, apparently, are the offending skills you don't identify.

    It's all well and good to have a security API defending personal information, but if anyone can ask for a credit card number without using that API then it's not much use, is it ?

    Once again, a problem was recognized but the proper solution was not implemented. Solution which would have been requiring developers to submit their "Skill" (ugh, I hate that notion) as raw code, to be reviewed by Amazon drones, compiled and tested. The code review would catch things like that.

    Of course, Amazon would have to hire competent coders who would spend their time reviewing code, which would be more expensive and time-consuming, but mostly more expensive. But nothing should be able to pass through that kind of filter.

  7. ZekeStone

    Not surprised

    Reading about this doesn't surprise me one bit. I will never have one of these dumb "smart" speakers in my house... not even if someone gives me one for free. When they first came out, my first reaction was "well that's a huge potential for a security breach".

    And it looks like I'm right.

  8. ClosedJar

    none of that now

    I have earned a skill set on how to actually live and thrive in this world. Let's see I can actually move and actually use my hands to push buttons. I can do well for myself, thanks you very much. So no Alexa, Google assistance, or MS dumb assistant. The only weakness I have about things are my 4000 books that keep multiplying every so often like rabbits. I use technology as the tool they are, like a hammer and a nail. Of course if I was disable, could not move or think well I'm sure I would welcome the voices in the boxes to lend a hand. But "knock on wood" I have yet to reach that point. The less of those things are in our home, the more we own our environment. I like to own my space without the spies of corporations in that space with the no so altruism of helping. Seriously, people complain that they can't go anywhere outside without being spy or follow by cameras but yet still pay to be spy in the last space that has privacy: Their Home. That don't make any sense to me.

    1. ecofeco Silver badge

      Re: none of that now

      It's doesn't make any sense because it's hard for smart people to realize just how effing stupid, stupid people really are.

  9. ecofeco Silver badge

    Shocked!

    This is my shocked face: :|

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021