New Delhi: In yet another privacy setback, a team of researchers who obtained and analysed 90,194 \"Alexa<\/a> Skills\" developed by external providers in seven countries has found significant deficiencies for safe use of Amazon<\/a> Alexa-enabled third-party smart devices<\/a>. 在另一个隐私挫折,一组研究人员获得和分析90194年“Alexa技能”由外部供应商在7个国家发现重大缺陷亚马逊Alexa-enabled第三方智能设备的安全使用。 新德里:在另一个隐私的挫折,一组研究人员获得和分析90194”亚莉克莎技能”由外部供应商在7个国家发现重大缺陷的安全使用亚马逊Alexa-enabled第三方智能设备。
One of the security loopholes they found was that Alexa Skills could be changed by the third-party providers afterward, putting users at data leaking risk<\/a>.
In addition to these security risks, the research team also identified significant lacks in the general data protection declarations for the Alexa Skills by the third-party providers.
For example, only 24.2 per cent of the Skills have a so-called privacy Policy at all, and even fewer in the particularly sensitive areas of \"Kids\" and \"Health and Fitness<\/a>.\"
\"Furthermore, we were able to prove that Skills can be published under a false identity. Well-known automotive companies, for example, make voice commands available for their smart systems. Users download these believing that the company itself has provided these Skills. But that is not always the case,\" explained Martin Degeling from Ruhr-Universitat Bochum (RUB) in Germany.
Amazon<\/a> has confirmed some of the problems to the research team, saying it was is working on countermeasures.
Although Amazon checks all Skills offered in a certification process, this so-called Skill squatting - the adoption of already existing provider names and functions - is often not noticeable.
With the voice commands \"Alexa Skills,\" users can load numerous extra functions onto their Amazon voice assistant.
However, these Skills can often have security gaps and data protection vendors.
In their study, the researchers from the Horst Gortz Institute for IT Security at RUB and North Carolina State University in the US studied first-time the ecosystem of Alexa Skills.
These voice commands are developed not only by the tech giant Amazon itself but also by external providers.
Users can download them at a store operated by Amazon directly, and in some cases, they are also activated automatically by Amazon.
The researchers obtained and analyzed 90,194 Skills from the stores in seven country platforms.
\"A first problem is that Amazon has partially activated Skills automatically since 2017. Previously, users had to agree to the use of each Skill. Now they hardly have an overview of where the answer Alexa gives them comes from and who programmed it in the first place,\" said Degeling.
Unfortunately, it is often unclear which Skill is activated at what time.
\"For example, if you ask Alexa for a compliment, you can get a response from 31 different providers, but it's not immediately clear which one is automatically selected,\" the researchers said.
Data that is needed for the technical implementation of the commands can be unintentionally forwarded to external providers, the researchers warned.
\"In an experiment, we were able to publish Skills in the name of a large company,\" the researchers said.
According to Christopher Lentzsch from the RUB Chair of Information and Technology Management, attackers could reprogramme their voice command after a while to ask for users' credit card data.
\"Amazon's testing usually catches such prompts and does not allow them - the trick of changing the program afterward can bypass this control. By trusting the abused provider name and Amazon, numerous users could be fooled by this trick,\" he said.
The team presented their work at the \"Network and Distributed System Security Symposium (NDSS)\" virtual conference last week.
<\/p><\/body>","next_sibling":[{"msid":81254246,"title":"Social media platforms, news publishers awaiting clarity on rules linked to news and current affairs","entity_type":"ARTICLE","link":"\/news\/social-media-platforms-news-publishers-awaiting-clarity-on-rules-linked-to-news-and-current-affairs\/81254246","category_name":null,"category_name_seo":"telecomnews"}],"related_content":[{"msid":"81254760","title":"Echo & Alexa Devices","entity_type":"IMAGES","seopath":"telecomnews\/3rd-party-alexa-smart-devices-risk-users-privacy\/echo-alexa-devices","category_name":"3rd party Alexa smart devices risk users' privacy","synopsis":"India was the fourth country - after the United States, the United Kingdom and Germany - where Amazon launched Alexa.","thumb":"https:\/\/etimg.etb2bimg.com\/thumb\/img-size-74416\/81254760.cms?width=150&height=112","link":"\/image\/3rd-party-alexa-smart-devices-risk-users-privacy\/echo-alexa-devices\/81254760"}],"msid":81254758,"entity_type":"ARTICLE","title":"3rd party Alexa smart devices risk users' privacy","synopsis":"In yet another privacy setback, a team of researchers who obtained and analysed 90,194 \"Alexa Skills\" developed by external providers in seven countries has found significant deficiencies for safe use of Amazon Alexa-enabled third-party smart devices.","titleseo":"telecomnews\/3rd-party-alexa-smart-devices-risk-users-privacy","status":"ACTIVE","authors":[],"analytics":{"comments":0,"views":203,"shares":0,"engagementtimems":897000},"Alttitle":{"minfo":""},"artag":"IANS","artdate":"2021-02-28 12:01:38","lastupd":"2021-02-28 12:10:14","breadcrumbTags":["Alexa","User privacy","smart devices","Amazon","amazon alexa","Devices","health and fitness","risk","voice commandes","alexa smart devices"],"secinfo":{"seolocation":"telecomnews\/3rd-party-alexa-smart-devices-risk-users-privacy"}}" data-authors="[" "]" data-category-name="" data-category_id="" data-date="2021-02-28" data-index="article_1">
第三方Alexa智能设备用户的隐私风险
他们发现的安全漏洞之一Alexa技能可以由第三方供应商改变之后,将用户数据泄漏风险。
除了这些安全风险,该研究小组还发现了显著缺乏总体数据保护声明由第三方提供商Alexa的技能。
“此外,我们能够证明技能可以发表在一个假身份。著名的汽车公司,例如,提供语音指令的智能系统。用户下载这些相信公司本身提供了这些技能。但这并非总是如此,”马丁解释Degeling Ruhr-Universitat波鸿(摩擦)在德国。
亚马逊已确认的一些问题研究小组,说这是工作的对策。
尽管亚马逊检查所有技能提供了认证过程,这种所谓的技能蹲,采用现有的供应商名称和功能——通常是不明显的。
语音指令“Alexa技能”,用户可以负载大量额外的功能到他们的亚马逊语音助理。
然而,这些技能可以经常有安全漏洞和数据保护供应商。
在他们的研究中,研究人员从霍斯特Gortz摩擦IT安全研究所和美国北卡州立大学研究初次Alexa技能的生态系统。
这些声音命令开发不仅由科技巨头亚马逊本身也由外部提供者。
用户可以存储由亚马逊直接下载它们,在某些情况下,他们也由亚马逊自动激活。
研究人员获得和分析来自七个国家的商店平台90194技能。
“第一个问题是,亚马逊自2017年以来部分自动激活的技能。在此之前,用户必须同意每个技能的使用。现在他们几乎没有的概述答案Alexa给他们从哪里来,编程,首先,“Degeling说。
不幸的是,它通常是不清楚哪些技能被激活在什么时候。
“例如,如果你问Alexa恭维,你可以得到一个响应从31日不同的提供者,但它不清楚哪一个是自动选择的,”研究人员说。
数据技术实现所需的命令可以无意中转发给外部供应商,研究人员警告说。
“在一个实验中,我们能够发布技能在一个大公司的名字,”研究人员说。
根据克里斯托弗Lentzsch擦椅子的信息和技术管理,攻击者可能会让他们的声音命令一段时间后要求用户的信用卡数据。
“亚马逊的测试通常捕获这样的提示,不允许他们改变计划的技巧之后可以绕过这种控制。通过信任滥用提供者名称和亚马逊,许多用户可以被这个技巧,”他说。
团队展示了自己的作品在“网络和分布式系统安全座谈会(nds)“虚拟会议上周。
读到
New Delhi: In yet another privacy setback, a team of researchers who obtained and analysed 90,194 \"Alexa<\/a> Skills\" developed by external providers in seven countries has found significant deficiencies for safe use of Amazon<\/a> Alexa-enabled third-party smart devices<\/a>.
One of the security loopholes they found was that Alexa Skills could be changed by the third-party providers afterward, putting users at data leaking risk<\/a>.
In addition to these security risks, the research team also identified significant lacks in the general data protection declarations for the Alexa Skills by the third-party providers.
For example, only 24.2 per cent of the Skills have a so-called privacy Policy at all, and even fewer in the particularly sensitive areas of \"Kids\" and \"Health and Fitness<\/a>.\"
\"Furthermore, we were able to prove that Skills can be published under a false identity. Well-known automotive companies, for example, make voice commands available for their smart systems. Users download these believing that the company itself has provided these Skills. But that is not always the case,\" explained Martin Degeling from Ruhr-Universitat Bochum (RUB) in Germany.
Amazon<\/a> has confirmed some of the problems to the research team, saying it was is working on countermeasures.
Although Amazon checks all Skills offered in a certification process, this so-called Skill squatting - the adoption of already existing provider names and functions - is often not noticeable.
With the voice commands \"Alexa Skills,\" users can load numerous extra functions onto their Amazon voice assistant.
However, these Skills can often have security gaps and data protection vendors.
In their study, the researchers from the Horst Gortz Institute for IT Security at RUB and North Carolina State University in the US studied first-time the ecosystem of Alexa Skills.
These voice commands are developed not only by the tech giant Amazon itself but also by external providers.
Users can download them at a store operated by Amazon directly, and in some cases, they are also activated automatically by Amazon.
The researchers obtained and analyzed 90,194 Skills from the stores in seven country platforms.
\"A first problem is that Amazon has partially activated Skills automatically since 2017. Previously, users had to agree to the use of each Skill. Now they hardly have an overview of where the answer Alexa gives them comes from and who programmed it in the first place,\" said Degeling.
Unfortunately, it is often unclear which Skill is activated at what time.
\"For example, if you ask Alexa for a compliment, you can get a response from 31 different providers, but it's not immediately clear which one is automatically selected,\" the researchers said.
Data that is needed for the technical implementation of the commands can be unintentionally forwarded to external providers, the researchers warned.
\"In an experiment, we were able to publish Skills in the name of a large company,\" the researchers said.
According to Christopher Lentzsch from the RUB Chair of Information and Technology Management, attackers could reprogramme their voice command after a while to ask for users' credit card data.
\"Amazon's testing usually catches such prompts and does not allow them - the trick of changing the program afterward can bypass this control. By trusting the abused provider name and Amazon, numerous users could be fooled by this trick,\" he said.
The team presented their work at the \"Network and Distributed System Security Symposium (NDSS)\" virtual conference last week.
<\/p><\/body>","next_sibling":[{"msid":81254246,"title":"Social media platforms, news publishers awaiting clarity on rules linked to news and current affairs","entity_type":"ARTICLE","link":"\/news\/social-media-platforms-news-publishers-awaiting-clarity-on-rules-linked-to-news-and-current-affairs\/81254246","category_name":null,"category_name_seo":"telecomnews"}],"related_content":[{"msid":"81254760","title":"Echo & Alexa Devices","entity_type":"IMAGES","seopath":"telecomnews\/3rd-party-alexa-smart-devices-risk-users-privacy\/echo-alexa-devices","category_name":"3rd party Alexa smart devices risk users' privacy","synopsis":"India was the fourth country - after the United States, the United Kingdom and Germany - where Amazon launched Alexa.","thumb":"https:\/\/etimg.etb2bimg.com\/thumb\/img-size-74416\/81254760.cms?width=150&height=112","link":"\/image\/3rd-party-alexa-smart-devices-risk-users-privacy\/echo-alexa-devices\/81254760"}],"msid":81254758,"entity_type":"ARTICLE","title":"3rd party Alexa smart devices risk users' privacy","synopsis":"In yet another privacy setback, a team of researchers who obtained and analysed 90,194 \"Alexa Skills\" developed by external providers in seven countries has found significant deficiencies for safe use of Amazon Alexa-enabled third-party smart devices.","titleseo":"telecomnews\/3rd-party-alexa-smart-devices-risk-users-privacy","status":"ACTIVE","authors":[],"analytics":{"comments":0,"views":203,"shares":0,"engagementtimems":897000},"Alttitle":{"minfo":""},"artag":"IANS","artdate":"2021-02-28 12:01:38","lastupd":"2021-02-28 12:10:14","breadcrumbTags":["Alexa","User privacy","smart devices","Amazon","amazon alexa","Devices","health and fitness","risk","voice commandes","alexa smart devices"],"secinfo":{"seolocation":"telecomnews\/3rd-party-alexa-smart-devices-risk-users-privacy"}}" data-news_link="//www.iser-br.com/news/3rd-party-alexa-smart-devices-risk-users-privacy/81254758">
评论
现在评论 阅读评论(1)所有评论
找到这个评论进攻?
下面选择你的理由并单击submit按钮。这将提醒我们的版主采取行动