Introduction
In this work, we study the trustworthiness of the Amazon
Alexa platform to answer four key questions:
Experiment setup
We performed “adversarial” experiments against the skill certification process of the Amazon Alexa platform. For testing the trustworthiness, we craft 234 policy-violating skills that intentionally violate specific policies defined by Amazon, and examine if it gets certified and published to the store or not.
Learn MoreExperiment results
Our results showed strong evidence that Alexa's skill certification process is implemented in a disorganized manner. We were able to publish all 234 skills that we submitted although some of them required a resubmission.
Learn MoreGoogle Assistant
We conducted a few experiments on Google Assistant platform as well. While Google does do a better job in the certification process based on our preliminary measurement, it is still not perfect and it does have potentially exploitable flaws that need to be tested more in the future.
Learn MoreCOPPA Compliance
It is possible that the third-party skills in Amazon Alexa suffers the legal risk of violating the Children’s Online Privacy Protection Act (COPPA) rules. . As demonstrated by our experiments, developers can certify skills that collect personal information from children without satisfying or honoring any of the requirements set forth by the FTC.
Learn MoreMitigations
Based on our measurements and findings, we provide recommendations to help VA platform providers to enhance the trustworthiness of VA platforms
Learn More