Researchers Find Numerous Risks in the Alexa Skills Ecosystem

Last updated September 28, 2021
Written by:
Bill Toulas
Bill Toulas
Infosec Writer

A team of university researchers (Ruhr-Universität Bochum + North Carolina State University + Google) has decided to perform a systematic in-depth analysis of the Alexa Skills ecosystem, using 90,194 sourced from seven different stores. Their purpose was to identify security and privacy risks and also gaps in the vetting process.

Unfortunately, and as the team explained during the recent NDSS conference, there are several problems with a large number of skills used by a substantial number of Alexa-powered device owners.

Source: alexa-skill-analysis.org

Before we move to the findings, allow us to give you an introduction to what Skills are. These are small custom-made apps created for Amazon’s Alexa, the AI-power virtual assistant that “lives” inside millions of IoTs around the globe.

Skills are like add-ons that extend Alexa’s functionality, so they are created by third-party companies that want to help their customers enjoy the convenience of using their services through Alexa. For example, Domino’s Pizza has a skill that allows users to order pizza right from their Amazon Echos.

So, here are the main issues discovered by the researchers:

Source: alexa-skill-analysis.org
Source: alexa-skill-analysis.org
Source: alexa-skill-analysis.org

As it becomes obvious from the above, Amazon has a lot of work to do if they’re planning to clean the skills mess and make the ecosystem safe for the users. Because one cannot rely on Amazon’s immediate and also effective response, users are advised to be very careful with what skills they choose to install on their devices. In general, we would suggest that you keep the number of skills on your Echos to the absolute minimum needed.

[UPDATE] February 27, 2021 - Statement for Amazon spokesperson:

The security of our devices and services is a top priority. We conduct security reviews as part of skill certification and have systems in place to continually monitor live skills for potentially malicious behavior. Any offending skills we identify are blocked during certification or quickly deactivated. We are constantly improving these mechanisms to further protect our customers. We appreciate the work of independent researchers who help bring potential issues to our attention.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: