Dangerous Skills: Understanding and Mitigating Security Risks of Voice-Controlled Third-Party Functions on Virtual Personal Assistant Systems

@article{Zhang2019DangerousSU,
  title={Dangerous Skills: Understanding and Mitigating Security Risks of Voice-Controlled Third-Party Functions on Virtual Personal Assistant Systems},
  author={Nan Zhang and Xianghang Mi and Xuan Feng and Xiaofeng Wang and Yuan Tian and Feng Qian},
  journal={2019 IEEE Symposium on Security and Privacy (SP)},
  year={2019},
  pages={1381-1396}
}
Virtual personal assistants (VPA) (e.g., Amazon Alexa and Google Assistant) today mostly rely on the voice channel to communicate with their users, which however is known to be vulnerable, lacking proper authentication (from the user to the VPA). A new authentication challenge, from the VPA service to the user, has emerged with the rapid growth of the VPA ecosystem, which allows a third party to publish a function (called skill) for the service and therefore can be exploited to spread malicious… Expand
Security and Privacy Issues with Virtual Private Voice Assistants
A Survey about Virtual Private Voice Assistants (VPVA) such as Alexa, Google Assistant, Apple's Siri on about how users have adopted this technology, recent advancements, Privacy concerns, SecurityExpand
On the Security and Privacy Challenges of Virtual Assistants
TLDR
There is a gap in the current state of the art in VA research, and no current literature reviews on the topic exist, which sheds light on future research directions, such as providing solutions to perform voice authentication without an external device, and the compliance of VAs with privacy regulations. Expand
“Alexa, Stop Spying on Me!”: Speech Privacy Protection Against Voice Assistants
Voice assistants (VAs) are becoming highly popular recently as a general means of interacting with the Internet of Things. However, the use of always-on microphones on VAs imposes a looming threat onExpand
"Alexa, stop spying on me!": speech privacy protection against voice assistants
TLDR
MicShield introduces a novel selective jamming mechanism, which obfuscates the user's private speech while passing legitimate voice commands to the VAs, and achieves this by using a phoneme level jamming control pipeline. Expand
Security Vetting Process of Smart-home Assistant Applications: A First Look and Case Studies
TLDR
It is shown the current security vetting is insufficient as developer mistakes can not be effectively detected and notified and a weak authentication would allow attackers to spoof the cloud to insert/retrieve data into/from the application endpoints. Expand
Meet Malexa, Alexa's Malicious Twin: Malware-Induced Misperception Through Intelligent Voice Assistants
TLDR
The results show that users who interacted with Malexa perceived that the government was less friendly to working people and more in favor of big businesses, and that Malexa is capable of inducing misperceptions regardless of the user's gender, political ideology or frequency of interaction with intelligent voice assistants. Expand
Fingerprinting encrypted voice traffic on smart speakers with deep learning
TLDR
This paper built an automatic voice traffic collection tool and collected two large-scale datasets on two smart speakers, Amazon Echo and Google Home, and implemented proof-of-concept attacks by leveraging deep learning, which indicate disturbing privacy concerns. Expand
Smart Home Personal Assistants
TLDR
An in-depth review of SPA’s security and privacy issues, categorizing the most important attack vectors and their countermeasures and discussing open research challenges that can help steer the community to tackle and address current security andPrivacy issues in SPA. Expand
Hey Alexa, is this Skill Safe?: Taking a Closer Look at the Alexa Skill Ecosystem
TLDR
The first largescale analysis of Alexa skills is performed, obtained from seven different skill stores totaling to 90,194 unique skills, and it is found that while certain approaches are more favorable than others, there is no substantial abuse of skill squatting in the real world. Expand
Alexa, Who Am I Speaking To? Understanding Users' Ability to Identify Third-Party Apps on Amazon Alexa
TLDR
Surprisingly, users who interact with Alexa more frequently are more likely to conclude that a third-party skill is native Alexa functionality, and design recommendations are made to help users distinguish native and third- party skills. Expand
...
1
2
3
4
5
...

References

SHOWING 1-10 OF 38 REFERENCES
Continuous Authentication for Voice Assistants
TLDR
VAuth is the first system that provides continuous authentication for voice assistants, designed to fit in widely-adopted wearable devices, where it collects body-surface vibrations of the user and matches it with the speech signal received by the voice assistant's microphone. Expand
Your Voice Assistant is Mine: How to Abuse Speakers to Steal Information and Control Your Phone
TLDR
A novel approach (GVS-Attack) to launch permission bypassing attacks from a zero-permission Android application (VoicEmployer) through the phone speaker, which can forge SMS/Email, access privacy information, transmit sensitive data and achieve remote control without any permission. Expand
AuDroid: Preventing Attacks on Audio Channels in Mobile Devices
TLDR
An extension to the SE Linux reference monitor integrated into the Android operating system for enforcing lattice security policies over the dynamically changing use of system audio resources, AuDroid shows that it is possible to prevent attacks using audio channels without compromising functionality or introducing significant performance overhead. Expand
CommanderSong: A Systematic Approach for Practical Adversarial Voice Recognition
TLDR
Novel techniques are developed that address a key technical challenge: integrating the commands into a song in a way that can be effectively recognized by ASR through the air, in the presence of background noise, while not being detected by a human listener. Expand
A11y Attacks: Exploiting Accessibility in Operating Systems
TLDR
This paper presents the first security evaluation of accessibility support for four of the most popular computing platforms: Microsoft Windows, Ubuntu Linux, iOS, and Android, and identifies twelve attacks that can bypass state-of-the-art defense mechanisms deployed on these OSs. Expand
Smart Locks: Lessons for Securing Commodity Internet of Things Devices
TLDR
This work examines the security of home smart locks: cyber-physical devices that replace traditional door locks with deadbolts that can be electronically controlled by mobile devices or the lock manufacturer's remote servers and proposes several defenses that mitigate the attacks. Expand
Hidden Voice Commands
TLDR
This paper explores in this paper how voice interfaces can be attacked with hidden voice commands that are unintelligible to human listeners but which are interpreted as commands by devices. Expand
Cocaine Noodles: Exploiting the Gap between Human and Machine Speech Recognition
TLDR
It is found that differences in how humans and machines understand spoken speech can be easily exploited by an adversary to produce sound which is intelligible as a command to a computer speech recognition system but is not easily understandable by humans. Expand
SmartAuth: User-Centered Authorization for the Internet of Things
TLDR
The technique, called SmartAuth, automatically collects security-relevant information from an IoT app’s description, code and annotations, and generates an authorization user interface to bridge the gap between the functionalities explained to the user and the operations the app actually performs. Expand
Android UI Deception Revisited: Attacks and Defenses
TLDR
This work found that the solution proposed has a significant side channel vulnerability as well as susceptibility to clickjacking that allow non-privileged malware to completely compromise the defenses, and successfully steal passwords or other keyboard input. Expand
...
1
2
3
4
...