Understanding and Mitigating the Security Risks of Voice-Controlled Third-Party Skills on Amazon Alexa and Google Home††thanks: All the squatting and impersonation vulnerabilities we discovered are reported to Amazon and Google and received their acknowledgement .
Understanding and Mitigating the Security Risks of Voice-Controlled Third-Party Skills on Amazon Alexa and Google Home††thanks: All the squatting and impersonation vulnerabilities we discovered are reported to Amazon and Google and received their acknowledgement .
Virtual personal assistants (VPA) (e.g., Amazon Alexa and Google Assistant) today mostly rely on the voice channel to communicate with their users, which however is known to be vulnerable, lacking proper authentication. The rapid growth of VPA skill markets opens a new attack avenue, potentially allowing a remote adversary to publish attack skills to attack a large number of VPA users through popular IoT devices such as Amazon Echo and Google Home. In this paper, we report a study that concludes such remote, large-scale attacks are indeed realistic. More specifically, we implemented two new attacks: voice squatting in which the adversary exploits the way a skill is invoked (e.g., “open capital one”), using a malicious skill with similarly pronounced name (e.g., “capital won”) or paraphrased name (e.g., “capital one please”) to hijack the voice command meant for a different skill, and voice masquerading in which a malicious skill impersonates the VPA service or a legitimate skill to steal the user’s data or eavesdrop on her conversations. These attacks aim at the way VPAs work or the user’s misconceptions about their functionalities, and are found to pose a realistic threat by our experiments (including user studies and real-world deployments) on Amazon Echo and Google Home. The significance of our findings have already been acknowledged by Amazon and Google, and further evidenced by the risky skills discovered on Alexa and Google markets by the new detection systems we built. We further developed techniques for automatic detection of these attacks, which already capture real-world skills likely to pose such threats.
The wave of Internet of Things (IoT) has brought in a new type of virtual personal assistant (VPA) services. Such a service is typically delivered through a smart speaker that interacts with the user using a voice user interface (VUI), allowing the user to command the system with voice only: for example, one can say “what will the weather be like tomorrow?” “set an alarm for 7 am tomorrow”, etc., to get the answer or execute corresponding tasks on the system. In addition to their built-in functionalities, VPA services are enhanced by ecosystems fostered by their providers, such as Amazon and Google, under which third-party developers can build new applications (called skills by Amazon and actions by Google111Throughout the paper, we use the Amazon term skill to describe third-party applications, including Google’s actions.) to offer further helps to the end users, for example, order food, manage bank accounts and text friends. In the past year, these ecosystems are expanding at a breathtaking pace: Amazon claims that already 25,000 skills have been uploaded to its skill market to support its VPA system (including the Alexa VPA service running through Amazon Echo)  and Google also has more than one thousand actions available on its market for its Google Home system (powered by Google Assistant). These systems have already been deployed to the households around the world, and utilized by tens of millions of users. This quickly-gained popularity, however, could bring in new security and privacy risks, whose implications have not been adequately investigated so far.
Security risks in VPA voice control. As mentioned earlier, today’s VPA systems are designed to be primarily commanded by voice. Protecting such VUIs is fundamentally challenging, due to the lack of effective means to authenticate the parties involved in the open and noisy voice channel. Already prior research shows that the adversary can generate obfuscated voice commands  or even completely inaudible ultrasound  to attack speech recognition systems. These attacks exploit unprotected communication to impersonate the user to the voice-controlled system, under the constraint that an attack device is placed close to the target (e.g., in the ultrasound attack, within 1.75 meters).
The emergence of the VPA ecosystem completely changes the game, potentially opening new avenues for remote attacks. Through the skill market, an adversary can spread malicious code, which will be silently invoked by voice commands received by a VPA device (e.g., Amazon Echo or Google Home). As a result, the adversary gains (potentially large-scale) access to the VPA devices interacting with victims, allowing him to impersonate a legitimate application or even the VPA service to them. Again, the attack is made possible by the absence of effective authentication between the user and the VPA service over the voice channel. Our research shows that such a threat is indeed realistic.
Voice-based remote attacks. In our research, we analyzed the most popular VPA IoT systems – Alexa and Google Assistant, focusing on the third-party skills deployed to these devices for interacting with end users over the voice channel. Our study demonstrates that through publishing malicious skills, it is completely feasible for an adversary to remotely attack the users of these popular systems, collecting their private information through their conversations with the systems. More specifically, we identified two threats never known before, called voice squatting attack (VSA) and voice masquerading attack (VMA). In a VSA, the adversary exploits how a skill is invoked (by a voice command), and the variations in the ways the command is spoken (e.g., phonetic differences caused by accent, courteous expression, etc.) to cause a VPA system to trigger a malicious skill instead of the one the user intends (Section 3.2). For example, one may say “Alexa, open Capital One please”, which normally opens the skill Capital One, but can trigger a malicious skill Capital One Please once it is uploaded to the skill market. A VMA aims at the interactions between the user and the VPA system, which is designed to hand over all voice commands to the currently running skill, including those supposed to be processed by VPA system like stopping the current skill and switching to a new one. In response to the commands, a malicious skill can pretend to yield control to another skill (switch) or the service (stop), yet continue to operate stealthily to impersonate these targets and get sensitive information from the user (Section 3.3).
We further investigated the feasibility of these attacks through user studies, system analysis, and real-world exploits. More specifically, we first surveyed 156 Amazon Echo and Google Home users and found that most of them tend to use natural languages with diverse expressions to interact with the devices: e.g., “play some sleep sounds”. These expressions allow the adversary to mislead the service and launch a wrong skill in response to the user’s voice command, such as some sleep sounds instead of sleep sounds. Our further analysis of both Alexa and Google Assistant demonstrates that indeed these systems identify the skill to invoke by looking for the longest string matched from a voice command (Section 3.2). Also interestingly, our evaluation of both devices reveals that Alexa and Google Assistant cannot accurately recognize some skills’ invocation names and the malicious skills carrying similar names (in terms of pronunciation) are capable of hijacking the brands of these vulnerable skills.
Finally, we deployed four skills through the Amazon market to attack a popular Alexa skill “Sleep and Relaxation Sounds” . These skills have been invoked by over 2,699 users in a month and collected 21,308 commands. We built the skills in a way to avoid collecting private information of the real-world users. Still, the commands received provide strong evidence that indeed both voice squatting and masquerading can happen in real life: our study shows that the received commands include the ones only eligible for “Sleep and Relaxation Sounds”, and those for switching to a different skill or stopping the current skill that can be leveraged to impersonate a different skill (Section 3.4). Our analysis of existing skills susceptible to the threat further indicates the significant consequences of the attacks, including disclosure of one’s home address, financial data, etc. The video demos of these attacks are available online .
Responsible disclosure. We have reported our findings to Amazon and Google, both of which acknowledged the importance of the weaknesses we discovered. And we are helping them to understand and mitigate such new security risks.
Mitigation. In our research, we developed a suite of new techniques to mitigate the realistic threats posed by VSA and VMA. We built a skill-name scanner that converts the invocation name string of a skill into a phonetic expression specified by ARPABET . This expression describes how a name is pronounced, allowing us to measure the phonetic distance between different skill names. Those sounding similar or having a subset relation are automatically detected by the scanner. This technique can be used to vet the skills uploaded to a market. Interestingly, when we ran it against all 19,670 custom skills on the Amazon market, we discovered 4,718 skills with squatting risks. These findings indicate that possibly these attacks could already happen in the real world.
To counter the threat of the masquerading attack, we designed and implemented a novel context-sensitive detector to help a VPA service capture the commands for system-level operations (e.g., invoke a skill) and the voice content unrelated to a skill’s functionalities, which therefore should not be given to a skill (Section 5). Specifically, our detection scheme consists of two components: the Skill Response Checker (SRC) and the User Intention Classifier (UIC). SRC captures suspicious skill responses that a malicious skill may craft, such as a fake skill recommendation mimicking that from the VPA system. UIC instead examines the information flow of the opposite direction, i.e., utterances from the user, to accurately identify users’ intents of context switches. Built upon robust Natural Language Processing (NLP) and machine learning techniques, SRC and UIC form two lines of defense towards the masquerading attack based on extensive empirical evaluations.
Contributions. The contributions of the paper are outlined as follows:
First study on remote VPA attacks. We report the first security analysis on the VPA ecosystems and related popular IoT devices (Amazon Echo and Google Home), which leads to the discovery of serious security weaknesses in their VUIs and skill vetting. We present two new attacks, voice squatting and voice masquerading. Both are demonstrated to pose realistic threats to a large number of VPA users from remote and both have serious security and privacy implications. Our preliminary analysis of the Amazon skill market further indicates the possibility that similar attacks may already happen in the real world.
New techniques for risk mitigation. We made the first step towards protecting VPA users from these voice-based attacks. We show that the new protection works effectively against the threats in realistic environments. The idea behind our techniques, such as context-sensitive command analysis, could inspire further enhancement of the current designs to better protect VPA users.
2.1 Virtual Personal Assistant Systems
VPA on IoT devices. Amazon and Google are two major players in the market of smart speakers with voice-controlled personal assistant capabilities. Since the debut of the first Amazon Echo in 2015, Amazon has now taken 76% of the U.S. market with an estimate of 15-million devices sold in the U.S. alone in 2017 . In the meantime, Google has made public Google Home in 2016, and now grabbed the remaining 24% market share. Amazon Echo Dot and Google Home Mini are later released in 2016 and 2017, respectively, as small, affordable alternatives to their more expensive counterparts. Additionally, Amazon has integrated VPA into IoT products from other vendors, e.g. Sonos smart speaker, Ecobee thermostat .
A unique property of these four devices is that they all forgo conventional I/O interfaces, such as the touchscreen, and also have fewer buttons (to adjust volume or mute), which serves to offer the user a hands-free experience. In another word, one is supposed to command the device mostly by speaking to it. For this purpose, the device is equipped with a microphone circular array designed for 360-degree audio pickup and other technologies like beam forming that enable far-field voice recognition. Such a design allows the user to talk to the device anywhere inside a room and still get a quick response.
Capabilities. Behind these smart devices is a virtual personal assistant, called Alexa for Amazon and Google Assistant for Google, engages users through a two-way conversation. Unlike those serving a smartphone (Siri, for example) that can be activated by a button push, the VPAs for these IoT devices are started with a wake-word like “Alexa” or “Hey Google”. These assistants have a range of capabilities, from weather report, timer setting, to-do list maintenance to voice shopping, hands-free messaging and calling. The user can manage these capabilities through a companion app running on her smartphone.
2.2 VPA Skills and Ecosystem
Both Amazon and Google enrich the VPAs’ capabilities by introducing voice assistant skill (or action on Google). Skills are essentially third-party apps, like those running on smartphones, offering a variety of services the VPA itself does not provide. Examples include Amex, Hands-Free Calling, Nest Thermostat and Walmart. These skills can be conveniently developed with the supports from Amazon and Google, using Alexa Skills Kit  and Actions on Google. Indeed, we found that up to November 2017, Alexa already has 23,758 skills and Google Assistant has 1,001. More importantly, new skills have continuously been added to the market, with their total numbers growing at a rate of 8% for Alexa and 42% for Google Assistant, as we measured in a 45-day period.
Skill invocation. Skills can be started either explicitly or implicitly. Explicit invocation takes place when a user requires a skill by its name from a VPA: for example, saying “Alexa, talk to Amex” to Alexa triggers the Amex skill for making a payment or checking bank account balances. Such a type of skills are also called custom skills on Alexa.
Implicit invocation occurs when a user tells the voice assistant to perform some tasks without directly calling to a skill name. For example, “Hey Google, will it rain tomorrow?” will invoke the Weather skill to respond with a weather forecast. Google Assistant identifies and activates a skill implicitly whenever the conversation with the user is under the context deemed appropriate for the skill. This invocation mode is also supported by the Alexa for specific types of skills.
Skill interaction model. The VPA communicates with its users based upon an interaction model, which defines a loose protocol for the communication. Using the model, the VPA can interpret each voice request, translating it to the command that can be handled by the VPA or a skill.
Specifically, to invoke a skill explicitly, the user is expected to use a wake-word, a trigger phrase and the skill’s invocation name. For example, for the spoken sentence “Hey Google, talk to personal chef”, “Hey Google” is the wake-word, “talk to” is the trigger phrase, and “personal chef” is the skill invocation name. Here, trigger phrase is given by the VPA system, which often includes the common terms for skill invocation like “open”, “ask”, “tell”, “start” etc. Note that skill invocation name could be different from skill name, which is intended to make it simpler and easier for users to pronounce. For example, “The Dog Feeder” has invocation name as the dog; “Scryb” has invocation name as scribe.
When developing a skill, one needs to define intents and sample utterances to map the user’s voice inputs to various interfaces of the skill that take the actions the user expects. Such an interface is described by the intent. To link a sentence to an intent, the developer specifies sample utterances, which are essentially a set of sentence templates describing the possible ways the user may talk to the skill. There are also some built-in intents within the model like WelcomeIntent, HelpIntent, StopIntent, etc., which already define many common sample utterances. The developer can add more intent or simply specify one default intent, in which case all user requests will be mapped to this intent.
Skill service and the VPA ecosystem. A third-party skill is essentially a web service hosted by its developer, with its name registered with the VPA service provider (Amazon or Google), as illustrated in Figure 1. When a user invokes a VPA device with its wake-word, the device captures her voice command and sends it to the VPA service provider’s cloud for processing. The cloud performs speech recognition to translate the voice record into text, finds out the skill to be invoked, and then delivers the text, together with the timestamp, device status, and other meta-data, as a request to the skill’s web service. In response to the request, the service returns a response whose text content, either in plaintext or in the format of Speech Synthesis Markup Language (SSML) , is converted to speech by the cloud, and played to the user through the device. SSML also allows the skill to attach audio files (such as MP3) to the response, which is supported by both Amazon and Google.
Both Amazon and Google have skill markets to publish third-party skills. To publish a skill, the developer needs to submit the information about her skill like name, invocation name, description and the endpoint where the skill is hosted for a certification process. This process aims at ensuring that the skill is functional and meets the VPA provider’s security requirements and policy guidelines.
Once a skill is published, users can simply activate it by calling its invocation name. Note that unlike smartphone apps or website plugins that need to be installed by users explicitly, skills can be automatically discovered (according to the user’s voice command) and transparently launched directly through IoT devices.
2.3 Adversary Model
We consider the adversary aiming a large-scale remote attack on the VPA users through publishing malicious skills. Such skills can be transparently invoked by the victim through voice commands, without being downloaded and installed on the victim’s device. Therefore, they can easily affect a large number of VPA IoT devices. For this purpose, we assume that the adversary has the capability to build the skill and upload it to the market. This can be easily done in practice, as we found in our research. To mitigate this threat, our protection needs to be adopted by the VPA provider, for vetting submitted skills and evaluating the voice commands received. This requires that the VPA service itself is trusted.
3 Exploiting VPA Voice Control
3.1 Analysis of VPA Voice Control
Security risks of rogue skills. As mentioned earlier, VPA skills are launched transparently when a user speaks their invocation names (which can be different from their names displayed on the skill market). Surprisingly, we found that for Amazon, such names are not unique skill identifiers: multiple skills with same invocation names are on the Amazon market. Also, skills may have similar or related names. For example, 66 different Alexa skills are called cat facts, 5 called cat fact and 11 whose invocation names contain the string “cat fact”, e.g. fun cat facts, funny cat facts. When such a common name is spoken, Alexa chooses one of the skills based on some undisclosed policies (possibly random as observed in our research). When a different but similar name is called, however, longest string match is used to find the skill. For example, “Tell me funny cat facts” will trigger funny cat facts rather than cat facts. This problem is less serious for Google, which does not allow duplicated invocation names. However, it also cannot handle similar names. Further discovered in our research is that some invocation names cannot be effectively recognized by the speech recognition systems of Amazon and Google. As a result, even a skill with a different name can be mistakenly invoked, when the name is pronounced similarly to that of the intended one.
Also, we found that the designs of these VPA systems fail to take into full account their users’ perceptions about how the systems work. Particularly, both Alexa and Google Assistant run their skills in a simple operation mode in which only one skill executes at a time and it needs to stop before another skill can be launched. However, such a design is not user-friendly and there is no evidence that the user understands that convenient context switch is not supported by these systems.
Further, both Alexa and Google Assistant supports volunteer skill termination. For Alexa, the termination command “Stop” is delivered to the skill, which is supposed to stop itself accordingly. For Google Assistant, though the user can explicitly terminate a skill by saying “Stop”, oftentimes the skill is supposed to stop running once its task is accomplished (e.g., reporting the current weather). We found in our research that there is no strong indication whether a skill has indeed quitted. Although Amazon Echo and Google Home have a light indicator, both of which will light up when the devices are speaking and listening. However, they could be ignored by the user, particularly when she is not looking at the devices or her sight is blocked when talking.
Survey study. To understand user behaviors and perceptions of voice-controlled VPA systems, which could expose the users to security risks, we surveyed Amazon Echo and Google Home users, focusing on the following questions:
What would you say when invoking a skill?
Have you ever invoked a wrong skill?
Did you try context switch when talking to a skill?
Have you experienced any problem closing a skill?
How do you know whether a skill has stopped?
Using Amazon Mechanical Turk, we recruited adult participants who own Amazon Echo or Google Home devices and have used skills before and paid them one dollar for completing the survey. To ensure that all participants meet the requirements, we asked them to describe several skills and their interactions with the skills and removed those whose answers were deemed irrelevant. In total, we have collected 105 valid responses from Amazon Echo users and 51 valid responses from Google Home users with diverse background (age ranges from 18 to 74 with average age as 37 years; 46% are female and 54% are male; education ranges from high school to graduate degree; 21 categories of occupation). On average, each participant reported to have 1.5 devices and used 5.8 skills per week.
In the first part of the survey, we studied how users invoke a skill. For this purpose, we used two popular skills “Sleep Sounds”, “Cat Facts” (“Facts about Sloths” on Google Home), and let the participants choose the invocation utterances they tend to use for launching these skills (e.g., “open Sleep Sounds please”) and required them to provide additional examples. We then asked the participants whether they ever triggered a wrong skill. In the following part of the survey, we tried to find out whether the participants attempted to switch context when interacting with a skill, that is, invoking a different skill or directly talking to the VPA service (e.g., adjusting volume). The last part of the survey was designed to study the user experience in stopping the current skill, including the termination utterances they tend to use, troubles they encountered during the termination process and importantly, the indicator they used to determine whether the skill has stopped. Sample survey questions are listed in Appendix A.
|Invoke a skill with natural sentences:|
|Yes, “open Sleep Sounds please”||64%||55%|
|Yes, “open Sleep Sounds for me”||30%||25%|
|Yes, “open Sleep Sounds app”||26%||20%|
|Yes, “open my Sleep Sounds”||29%||20%|
|Yes, “open the Sleep Sounds”||20%||14%|
|Yes, “play some Sleep Sounds”||42%||35%|
|Yes, “tell me a Cat Facts”||36%||24%|
|No, “open Sleep Sounds”||13%||14%|
|Invoke a skill that did not intend to:|
|Tried to invoke a skill while interacting with another skill:|
|Tried to adjust volume by voice while interacting with another skill:|
|Unsuccessful quitting a skill:|
|Indicator of the end of a conversation:|
|VPA says “Goodbye” or something similar||23%||37%|
|VPA does not talk anymore||52%||45%|
|The light on VPA device is off||25%||18%|
Table 1 summarizes the responses from both Amazon Echo and Google Home users. The results show that more than 85% of them tend to use natural utterances to open a skill (e.g., “open Sleep Sounds please”), instead of the standard one (like “open Sleep Sounds”). This indicates that it is completely realistic for the user to launch a wrong skill whose name is better matched to the utterances than that of the intended skill (e.g., Sleep Sounds). Indeed, 28% users reported that they did open unintended skills when talking to their devices.
Also interestingly, our survey shows that nearly half of the participants tried to switch to another skill or to the VPA service (e.g. adjusting volume) when interacting with a skill. Such an attempt failed since such context switch is neither supported by Alexa nor Google Assistant. However, it is imaginable that a malicious skill receiving such voice commands could take advantage of this opportunity to impersonate the skill the user wants to run, or even the VPA service (e.g., cheating the user into disclosing personal information for executing commands). Finally, 30% of the participants were found to experience troubles in skill termination and 78% did not use the light indicators on the devices as the primary indicator of skill termination. Again, the study demonstrates the feasibility of a malicious skill to fake its termination and stealthily collect the user’s information.
Following we show how the adversary can exploit the gap between the user perception and the real operations of the system to launch voice squatting and masquerading attacks.
3.2 Voice Squatting
Invocation confusion. As mentioned earlier, a skill is triggered by its invocation name, which is supposed to be unambiguous and easy to recognize by the devices. Both Amazon and Google suggests that skill developers test invocation names and ensure that their skills can be launched with a high success rate. However, we found that an adversary can intentionally induce confusion by using the name or similar one of a target skill, to trick the user into invoking an attack skill when trying to open the target. For example, the adversary who aims at Capital One could register a skill Capital Won, Capitol One, or Captain One. All such names when spoken by the user could become less distinguishable, particularly in the presence of noise, due to the limitations of today’s speech recognition techniques.
Also, this voice squatting attack can easily exploit the longest string match strategy of today’s VPAs, as mentioned earlier. Based on our user survey study, around 60% of Alexa and Google Home users have used the word “please” when launching a skill, and 26% of them attach “my” before the skill’s invocation name. So, the adversary can register the skills like Capital One Please to hijack the invocation command meant for Capital One.
Note that to make it less suspicious, homophones or words pronounced similarly can be used here, e.g. Capital One Police. Again, this approach defeats Google’s skill vetting, allowing the adversary to publish the skill with an invocation name unique in spelling but still confusing (with a different skill) in pronunciation.
To find out whether such squatting attacks can evade skill vetting, we registered 5 skills with Amazon and 1 with Google. These skills’ invocation names and the target’s name are shown in Table 2. All these skills passed the Amazon and Google’s vetting process, which suggests that the VSA code can be realistically deployed.
|Skill Name||Invocation Name||Target Invocation Name|
|Smart Gap||smart gap||smart cap|
|Soothing Sleep Sounds||sleep sounds please||sleep sounds|
|Soothing Sleep Sounds||soothing sleep sounds||sleep sounds|
|My Sleep Sounds||the sleep sounds||sleep sounds|
|Super Sleep Sounds||sleep sounds||sleep sounds|
|Incredible Fast Sleep||incredible fast sleep||N/A|
|Walk Log||walk log||work log|
Consequences. Through voice squatting, the attack skill can impersonate another skill and fake its VUI to collect the private information the user only shares with the target skill. Some Amazon and Google skills request private information from the user to do their jobs. For example, Find My Phone asks for phone number; Transit Helper asks for home address; Daily Cutiemals seeks email address from user. These skills, once impersonated, could cause serious information leaks to untrusted parties.
For Amazon Alexa, a falsely invoked skill can perform a Phishing attack on the user by leveraging the VPA’s card system. Alexa allows a running skill to include a home card in its response to the user, which is displayed through Amazon’s companion app on smartphone or web browser, to describe or enhance ongoing voice interactions. As an example, Figure 2 shows a card from “Transit Helper”. Such a card can be used by the attack skill to deliver false information to the user: e.g., fake customer contact number or website address, when impersonating a reputable one, such as Capital One. This can serve as the first step of a Phishing attack, which can ultimately lead to the disclosure of sensitive user data. For example, the adversary could send you an account expiration notification, together with a renewal link, to cheat the user out of her account credentials.
Another potential risk of the VSA is defamation: the poor performance of the attack skill could cause the user to blame the legitimate one it impersonates. This could result in bad reviews, giving the legitimate skill’s competitors an advantage.
|Device||Source||Invocation Name||“Open” + Invocation Name||Mis-recognized Invocation Name|
|# of incorrect utterances||# of incorrect skills||# of incorrect utterances||# of incorrect skills||# of completely incorrect skills||# of attack skills invoked||# of utterances invoked attack skill|
Evaluation methodology. In our research, we investigated how realistic a squatting attack would be on today’s VPA IoT systems. For this purpose, we studied two types of the attacks: voice squatting in which an attack skill carries a phonetically similar invocation name to that of its target skill, and word squatting where the attack invocation name includes the target’s name and some strategically selected additional words (e.g., “cat facts please”). To find out whether these attacks work on real systems, we conducted a set of experiments, as described below.
To study voice squatting, we randomly sampled 100 skills each from the markets of Alexa and Google assistant, and utilized Amazon and Google’s Text-to-Speech (TTS) services and the human voice to pronounce their skill names to their VPA devices, so as to understand how effectively the VPAs can recognize these names. The idea is to identify those continuously misrecognized by the VPAs, and then strategically register phonetically similar names for the attack skills. We selected such names using the text outputs produced by Amazon and Google’s speech recognition services when the vulnerable (hard to recognize) names were spoken. To this end, we built a skill to receive voice commands. The skill was invoked in our experiment before voice commands were played, which were converted into text by the recognition services and handed over to the skill.
The voice commands used in our research were produced by either human subjects or Amazon and Google’s TTS services (both claiming to generate natural and human-like voice). Some of these commands included a term “open” in front of an invocation name, forming an invocation utterance. In our study, for each of the 100 skills, we recorded 20 voice commands from each TTS service (ten invocation names only and ten invocation utterances) and two commands (invocation utterances) from each of five participants of our survey study.
As mentioned earlier, we used the text outputs of misrecognized invocation names to name our attack skills. Such skills were evaluated in the test modes of Alexa and Google Assistant. We did not submit them to the markets simply because it was time-consuming to publish over 60 skills on the markets. Later we describe the five attack skills submitted to these markets, which demonstrate their vetting protection is not effective.
To study word squatting, we randomly sampled ten skills from each skill markets as the attack targets. For each skill, we built four new skills whose invocation names include the target’s name together with the terms identified from our survey study (Section 3.1): for example, “cat facts please” and “my cat facts”. In the experiment, these names were converted into voice commands using TTS and played to the VPA devices (e.g., “Alexa, open cat facts please”), which allows us to find out whether the attack skills can indeed be triggered. Note that the scale of this study is limited by the time it takes to upload attack invocation names to the VPA’s cloud. Nevertheless, our findings provide evidence for the real-world implications of the attack.
Experiment results. We recruited five participants for our experiments, and each was recorded 400 invocation commands. All the participants are fluent in English and among them, four are native speakers. When using the TTS services, a MacBook Pro served as the sound source. The voice commands from the participants and the TTS services were played to an Amazon Echo Dot and a Google Home Mini, with the devices placed one foot away from the sound source. The experiments were conducted in a quiet meeting room.
Table 3 summarizes the results of the experiment on voice squatting. As we can see here, the voice commands with invocation names only often cannot be accurately recognized: e.g., Alexa only correctly identified around 54% utterances (the voice command) produced by Amazon TTS. On the other hand, an invocation utterance (including the term “open”) worked much better, with the recognition rate rising to 75% for Alexa (under Amazon TTS). Overall, for the voice commands generated by both Amazon and Google’s TTS services, we found that Alexa made more errors (30%) than Google Assistant (9%). As mentioned earlier, the results of such misrecognition, for the invocation names that these VPAs always could not get right, were utilized in our research to register attack skills’ names. For example, the skill “entrematic opener” was recognized by Google as “intra Matic opener”, which was then used as the name for a malicious skill. In this way, we identified 17 such vulnerable Alexa skills under both Amazon and Google’s TTS, and 7 Google skills under Amazon TTS and 4 under Google TTS. When attacking these skills, our study shows that half of the malicious skills were triggered by the voice commands meant for these target skills every time: e.g., “Florida state quiz” hijacked the call to “Florida snake quiz”; “read your app” was run when invoking “rent Europe”.
This attack turned out to be more effective on the voice commands spoken by humans. Given a participant, on average, 31 (out of 100) Alexa skills and 6 Google Assistant skills she spoke were recognized incorrectly. Although in normal situations, right skills can still be identified despite the misrecognition, in our attacks, with over 50% of the malicious skills were mistakenly launched every time, as observed in our experiments on 5 randomly sampled vulnerable target skills for each participant.
|Utterance||# of malicious skills invoked (10)|
|invocation name + “please”||10||0|
|“my” + invocation name||7||0|
|“the” + invocation name||10||0|
|invocation name + “app”||10||10|
|“mai” + invocation name||N/A||10|
|invocation name + “plese”||N/A||10|
Table 4 summarizes the results of our experiments on the word squatting attack. On Alexa, a malicious skill with the extended name (that is, the target skill’s invocation name together with terms “please”, “app”, “my” and “the”) was almost always launched by the voice commands involving these terms and the target names. On Google Assistant, however, only the utterance with word “app” succeeded in triggering the corresponding malicious skill, which demonstrates that Google Assistant is more robust against such an attack. However, when we replaced “my” with “mai” and “please” with “plese”, all such malicious skills were successfully invoked by the commands for their target skills (see Table 4). This indicates that the protection Google puts in place (filtering out those with suspicious terms) can be easily circumvented.
3.3 Voice Masquerading
Unawareness of a VPA system’s capabilities and behaviors could subject users to voice masquerading attacks. Here, we demonstrate two such attacks that impersonate the VPA systems or other skills to cheat users into giving away private information or to eavesdrop on the user’s conversations.
In-communication skill switch. Given some users’ perceptions that the VPA system supports skill switch during interactions, a running skill can pretend to hand over control to the target skill in response to a switch command, so as to impersonate that skill. As a result, sensitive user information only supposed to be shared with target skill could be exposed to the attack skill. This masquerading attack is opportunistic. However, the threat is realistic, according to our survey study (Section 3.1) and our real-world attack (Section 3.4). Also, the adversary can always use the attack skill to impersonate as many legitimate skills as possible, to raise the odds of a successful attack.
Google Assistant seems to have protection in place against the impersonation. Specifically, it signals the launch of a skill by speaking “Sure, here is”, together with the skill name and a special earcon, and skill termination with another earcon. Further, the VPA talks to the user in a distinctive accent to differentiate it from skills. This protection, however, can be easily defeated. In our research, we pre-recorded the signal sentence with the earcons and utilized SSML to play the recording, which could not be detected by the participants in our study. We even found that using the emulator provided by Google, the adversary can put any content in the invocation name field of his skill and let Google Assistant speak the content in the system’s accent.
Faking termination. Both Alexa and Google Assistant support volunteer skill termination, allowing a skill to stop itself right after making a voice response to the user. As mentioned earlier, the content of the response comes from the skill developer’s server, as a JSON object, which is then spoken by the VPA system. In the object there is a field shouldEndSession (or expect_user_response for Google Assistant). By setting it to true (or false on Google Assistant), a skill ends itself after the response. This approach is widely used by popular skills, e.g. weather skills, education skills and trivia skills. In addition, according to our survey study, 78% of the participants rely on the response of the skill (e.g. “Goodbye” or silence) to determine whether a skill has stopped. This allows an attack skill to fake its termination by providing “Goodbye” or silent audio in its response.
|Skill Invocation Name||# of Users||# of Requests||Req/User||Avg. Unknown Req/User||Avg. Instant Quit Session/User||Avg. No Play Quit Session/User|
|sleep sounds please||325||3,179||9.58||1.11||0.61||0.73|
|soothing sleep sounds||294||3,141||10.44||1.28||0.73||0.87|
|the sleep sounds||144||1,248||8.49||1.11||0.33||0.45|
|incredible fast sleep||200||1,254||6.12||0.56||0.06||0.11|
When sending back a response, both Alexa and Google Assistant let a skill include a reprompt (text content or an audio file), which is played when the VPA does not receive any voice command from the user within a period of time. For example, Alexa reprompts the user after 6 seconds and Google Assistant does this after 8 seconds. If the user continues to keep quiet, after another 6 seconds for Alexa and one additional reprompt from Google and follow-up 8-second waiting, the running skill will be forcefully terminated by the VPA. On the other hand, we found in our research that as long as the user says something (even not meant for the skill) during that period, the skill is allowed to send another response together with a reprompt. To stay alive as long as possible after faking termination, the attack skill we built includes in its reprompt a silent audio file (up to 90 seconds for Alexa and 120 seconds for Google Assistant), so it can continue to run at least 102 seconds on Alexa and 264 seconds on Google. This running time can be further extended considering the attack skill attaching the silent audio right after its last voice response to the user (e.g., “Goodbye”), which gives it 192 seconds on Alexa and 384 on Google Assistant), and indefinitely whenever Alexa or Google Assistant picks up some sound made by the user. In this case, the skill can reply with the silent audio and in the meantime, record whatever it hears.
Additionally, both Alexa and Google Assistant allow users to explicitly terminate a skill by saying “stop”, “cancel”, “exit”, etc. However, Alexa actually hands over most such commands to the running skill to let it stop itself through the built-in StopIntent (including “stop”, “off”, etc.) and CancelIntent (including “cancel”, “never mind” etc.). Only “exit” is processed by the VPA service and used to forcefully stop the skill. Through survey study, we found that 91% of Alexa users used “stop” to terminate a skill, 36% chose “cancel”, and only 14% opted for “exit”, which suggests that the user perception is not aligned with the way Alexa works and therefore leaves the door open for the VMA. Also, although both Alexa and Google skill markets vet the skills published there through testing their functionalities, unlike mobile apps, a skill actually runs on the developer’s server, so it can easily change its functionality after the vetting. This indicates that all such malicious activities cannot be prevented by the markets.
Consequences. By launching the VMA, the adversary could impersonate the VPA system and pretend to invoke another skill if users speak out an invocation utterance during the interaction or after the fake termination of the skill. Consequently, all the information stealing and Phishing attacks caused by the VSA (Section 3.2) can also happen here. Additionally, an attack skill could masquerade as the VPA service to recommend to the user other malicious skills or the legitimate skills the user may share sensitive data with. These skills are then impersonated by the attack skill to steal the data. Finally, as mentioned earlier, the adversary could eavesdrop on the user’s conversation by faking termination and providing a silent audio response. Such an attack can be sustained for a long time if the user continues to talk during the skill’s waiting period.
3.4 Real-World Attacks
Objectives and methodology. We registered and published four skills on Alexa to simulate the popular skill “Sleep and Relaxation Sounds” (the one receiving most reviews on the market as of Nov. 2017) whose invocation name is “sleep sounds” , as shown in Table 2. Our skills are all legitimate, playing sleep sounds just like the popular target. Although their invocation names are related to the target (see Table 2), their welcome messages were deliberately made to be different from that of the target, to differentiate them from the popular skill. Also, the number of different sleep sounds supported by our skills is way smaller than the target.
Also to find out whether these skills were mistakenly invoked, we registered another skill as a control, whose invocation name “incredible fast sleep” would not be confused with those of other skills. Therefore, it was only triggered by users intentionally.
Findings. In our study, we collected three weeks of skill usage data. The results are shown in Table 5. As we can see from the table, some users indeed took our skill as the target, which is evidenced by the higher number of unknown requests the attack skill got (more than 20% of them for the sounds only provided by the target skill) and the higher chance of quitting the current session immediately without playing (once the user realized that it was a wrong skill, possible from the different welcome message). This becomes even more evident when we look at “sleep sounds please”, a voice command those intended for “sleep sounds” are likely to say. Compared with the control, it was invoked by more users, received more requests per user, also much higher rates of unknown requests and early quits.
In addition, out of the 9,582 user requests we collected, 52 was for skill switch, trying to invoke another skill during the interactions with our skill, and 485 tried to terminate the skill using StopIntent or CancelIntent, all of which could be exploited for launching VMAs (though we did not do that). Interestingly, we found that some users so strongly believed in the skill switch that they even cursed Alexa for not doing that after several tries.
Ethical issues. All human subject studies throughout the paper were approved by our IRB. All the skills we published did not collect any private, identifiable information and only provided legitimate functionalities similar to “Sleep and Relaxation Sounds”. Although the skills could launch VMAs e.g. faking in-communication skill switch and termination, they were designed not to do so. Instead, we just verified that such attack opportunities are indeed there.
4 Finding Voice Squatting Skills
To better understand potential voice squatting risks already in the wild and help automatically detect such skills, we developed a skill-name scanner and used it to analyze tens of thousands of skills from Amazon and Google markets. Following we elaborate on this study.
4.1 Data Collection
The Alexa skill market can be accessed through amazon.com and its companion App, which includes 23 categories of skills spanning from Business & Finance to Weather. In our research, we ran a web crawler to collect the metadata (such as skill name, author, invocation name, sample utterances, description, and review) of all skills on the market. Up to November 11th, 2017, we gathered 23,758 skills, including 19,670 3rd party (custom) skills.
More complicated is to collect data from Google assistant, which only lists skills in its Google Assistant app. Each skill there can be shared (to other users, e.g., through email) using an automatically generated URL pointing to the skill’s web page. In our research, we utilized AndroidViewClient  to automatically click the share button for each skill to acquire its URL, and then ran our crawler to download data from its web page. Altogether, we got the data for 1,001 skills up to November 25th, 2017.
Idea. As we discussed earlier, the adversary can launch VSA by crafting invocation names with a similar pronunciation as that of a target skill or using different variations (e.g., “sleep sounds please”) of the target’s invocation utterances. We call such a name Competitive Invocation Name (CIN). In our research, we built a scanner that takes two steps to capture the CINs for a given invocation name: utterance paraphrasing and pronunciation comparison. The former identifies suspicious variations of a given invocation name, and the latter finds the similarity in pronunciation between two different names. Here we describe how the scanner works.
Utterance paraphrasing. To find variations of an invocation name, an intuitive approach is to paraphrase common invocation utterances of the target skill. For example, given the skill chase bank, a typical invocation utterance would be open chase bank. Through paraphrasing, we can also get similar voice commands such as open the chase skill for me. This helps identify other variations such as chase skill or the chase skill for me. However, unlike the general text paraphrase problem whose objective is to preserve semantic consistency while the syntactic structure of a phrase changes, paraphrasing invocation utterances further requires the variations to follow a similar syntactic pattern so that the VPA systems can still recognize them as the commands for launching skills. In our research, we explored several popular paraphrase methodologies including bilingual pivoting method  and newly proposed ones using deep neural networks  and . None of them, however, can ensure that the variation generated can still be recognized by the VPA as an invocation utterance. Thus, we took a simple yet effective approach in our research, which creates variations using the invocation commands collected from our survey study 3.1. Specifically, we gathered 11 prefixes of these commands, e.g. “my” and 6 suffixes, e.g. “please”, and applied them to a target skill’s invocation name to build its variations recognizable to the VPA systems. Each of these variations can lead to other variations by replacing the words in its name with those having similar pronunciations.
Pronunciation comparison. To identify the names with similar pronunciation, our scanner converts a given name into a phonemic presentation using the ARPABET phoneme code . Serving this purpose is the CMU pronunciation dictionary  our approach uses to find the phoneme code for each word in the name. The dictionary includes over 134,000 words, which, however, still misses some name words used by skills. Among 9,120 unique words used to compose invocation names, 1,564 are not included in this dictionary. To get their pronunciations, we followed an approach proposed in the prior research  to train a grapheme-to-phoneme model using a recurrent neural network with long short term memory(LSTM) units. Running this model on Stanford GloVe dataset , we added to our phoneme code dataset additional 2.19 million words.
After turning each name into its phonemic representation, our scanner compares it with other names to find those that sound similarly. To this end, we use edit distance to measure the pronunciation similarity between two phrases, i.e., the minimum cost in terms of phoneme editing operations to transform one name to the other. However, different phoneme edit operations should not be given the same cost. For example, substituting a consonant for a vowel could cause the new pronunciation sounds more differently from the old one, compared to replacing a vowel to another vowel. To address this issue, we use a weighted cost matrix for the operations on different phoneme pairs. Specifically, denote each item in the matrix by , which is the weighted cost by substituting phoneme with phoneme . Note that the cost for insertion and deletion can be represented as and . is then derived based on the assumption (also made in prior research ) that an edit operation is less significant when it frequently appears between two alternative pronunciations of a given English word.
|Market||# of Skills||# of unique invocation names||Transformation cost||Skills has CIN in market||Skills has CIN in market excluding same spelling||Skills has CIN in market by utterance paraphrasing|
We collected 9,181 pairs of alternative pronunciations from the CMU dictionary. For each pair, we applied the Needleman-Wunsch algorithm to identify the minimum edit distance and related edit path. Then, we define
where is the frequency of phoneme while is the frequency of substitutions of with , both in edit paths of all pronunciation pairs.
After deriving the cost matrix, we compare the pronunciations of the invocation names for the skills on the market, looking for the similar names in terms of similar pronunciations and the paraphrasing relations.
Limitation. As mentioned earlier, our utterance paraphrasing approach ensures that the CINs produced will be recognized by the VPA systems to trigger skills. In the meantime, this empirical treatment cannot cover all possible attack variations, a problem that needs to be studied in the future research.
4.3 Measurement and Discoveries
To understand the voice squatting risks already there in the wild, we conducted a measurement study on Alexa and Google Assistant skills using the scanner. In the study, we chose the similarity thresholds (transformation cost) based upon the results of our experiment on VSA (Section 3.2): we calculated the cost for transforming misrecognized invocation names to those identified from the voice commands produced by the TTS service and human users, which are 1.8 and 3.4, respectively. Then we conservatively set the thresholds to 0 (identical pronunciations) and 1.
Squatting risks on skill markets. As shown in Table 6, 3,655 (out of 19,670) Alexa skills have CINs on the same market, which also include skills that have identical invocation names (in spelling). After removing the skills with the identical names, still 531 skills have CINs, each on average related to 1.31 CINs. The one with the most CINs is “cat fax”: we found that 66 skills are named “cat facts”. Interestingly, there are 345 skills whose CINs apparently are the utterance paraphrasing of other skills’ names. Further, when raising the threshold to 1 (still well below what is reported in our experiment), we observed that the number of skills with CINs increases dramatically, suggesting that skill invocations through Alexa can be more complicated and confusing than thought. By comparison, Google has only 1,001 skills on its market and does not allow them to have identical invocation names. Thus, we are only able to find 4 skills with similarly pronounced CINs under the threshold 1.
Our study shows that the voice squatting risk is realistic, which could already pose threats to tens of millions of VPA users in the wild. So it becomes important for skill markets to beef up their vetting process (possibly using a technique similar to our scanner) to mitigate such threats.
Case studies. From the CINs discovered by our scanner, we found a few interesting cases. Particularly, there is evidence that the squatting attack might already happen in the wild: as an example, relating to a popular skill “dog fact” is another skill called “me a dog fact”. This invocation name does not make any sense unless the developer intends to hijack the command intended for “dog fact” like “tell me a dog fact”.
Also intriguing is the observation that some skills deliberately utilize the invocation names unrelated to their functionalities but following those of popular skills. Prominent examples include the “SCUBA Diving Trivia” skill and “Soccer Geek” skill, all carrying an invocation name “space geek”. This name is actually used by another 18 skills that provide facts about the universe.
5 Defending against Voice Masquerading
To defeat VMA, we built a context-sensitive detector upon the VPA infrastructure. Our detector takes a skill’s response and the user’s utterance as its input to determine whether an impersonation risk is present. Once a problem is found, the detector alerts the user of the risk. Our detection scheme consists of two components: the Skill Response Checker (SRC) and the User Intention Classifier (UIC). SRC captures suspicious skill responses that a malicious skill may craft such as a fake skill recommendation mimicking that from the VPA system. UIC instead examines the information flow of the opposite direction, i.e., utterances from the user, to accurately identify users’ intents of context switches. Despite operating independently, SRC and UIC form two lines of defense towards VMA.
5.1 Skill Response Checker (SRC)
As discussed in Section 3.3, a malicious skill could fake a skill switch or termination to cheat users into giving away private information or to eavesdrop on the user’s conversations. To defend such attacks, our core idea is to eliminate or at least reduce the possibility of a malicious skill mimicking responses from VPA systems, allowing users to be explicitly notified of VPA system events (e.g., a context switch and termination) through unique audible signals. Technically, SRC adopts a blacklist-based approach by maintaining a blacklist of responses that the VPA considers suspicious, including system utterances and silent utterance. Whenever a response from a skill matches any utterance on the blacklist, SRC alarms the VPA system, which can take further actions such as to verify the ongoing conversation with the user before handing her response to the skill. The challenge here is how to perform blacklist hit tests, as the attacker can possibly “morphing” (instead of exactly copying) the original system utterances. SRC thus performs fuzzy matching through semantic analysis on the content of the response against those on the blacklist. Specifically, we train a sentence embedding model using a recurrent neural network with bi-directional LSTM units  on Stanford Natural Language Inference (SNLI) dataset  to represent both the utterance and the command’s contents as high-dimensional vectors. We then calculate their absolute cosine similarity as their sentence relevance (SR). Once the maximum SR of a response against the utterances on the blacklist exceeds a threshold, the response is labeled as suspicious and user verification will take place if SRC further detects a user command.
To determine the threshold, we first derive the SR of legitimate skill responses against responses in the blacklist. We extract legitimate skill responses from real-world conversations we collected in Section 3.4. We further diversify the dataset by adding conversation transcripts we manually interacted and logged with 20 popular skills from different skill markets. The highest SR of these legitimate responses against those in the blacklist is 0.79. Next, we use a neural paraphrase model  to generate variations of responses in the blacklist and derive their SR against their original responses, of which the lowest is 0.83. Therefore a threshold of 0.8 would be good enough to differentiate suspicious responses from legitimate ones.
5.2 User Intention Classifier (UIC)
UIC further protects the user attempting to switch contexts from an impersonation attack. Complementing SRC, UIC aims at improving the inference of whether the user intends to switch to the system or to a different skill, by thoroughly mining conversations’ semantics and contexts, as opposed to using the simple skill invocation models employed by today’s VPA (Section 2.2). Ideally, if a user’s intention of context switches can be perfectly interpreted by the VPA, then an impersonation attack would not succeed.
We realize that building a robust and full-fledged UIC is very challenging and beyond the scope of this paper. This is not only because of variations of the natural-language-based commands (e.g., “open sleep sounds” vs. “sleep sounds please”), but also due to the fact that some commands could be legitimate for both the current on-going skill and the system command of VPA (indicating a context switch). For example, when interacting with Sleep Sounds, one may say “play thunderstorm sounds”, which asks the skill to play the requested sound; meanwhile, the same command can also make the VPA launch a different skill “Thunderstorm Sounds”. We next demonstrate that it is promising for a learning-based approach to tackle such ambiguities using contextual information.
Feature Selection. At a high level, we observed from real-world conversations that if a user intends to have a context switch, her utterance will tend to be more semantically related to system commands (e.g. “open sleep sounds”) rather than the current skill, and vice versa. Based on this observation, features in UIC are composed by comparing the semantics of the user’s utterance to both the context of system commands and the context of the skill that the user is currently interacting with.
We first derive features from a semantic comparison between the user utterance and all known system commands. To this end, we build a system command list from the VPA’s user manual, developers’ documentation and real-world conversations collected in our study (section 3.4). Given an utterance, its maximum and average SRs (Section 5.1) against all system commands on the list are used by UIC as features for classification. Another feature we add is an indicator that is set when the utterance contains invocation names of skills on the market, to capture the user’s potential intent of skill switch.
Another set of features are retrieved by characterizing the relationship between a user utterance and the current on-going skill. We leverage the observation that a user’s command for a skill is typically related to the skill’s prior communication with the user as well as the skill’s stated functionalities. We thus propose the following features to test whether an utterance fits into the on-going skill’s context: 1) the SR between the utterance and the skill’s response prior to the utterance, 2) the top- SR between the utterance and the sentences in the skill’s description (we pick =5), and 3) the average SR between the user’s utterance and the description sentences.
Results. To assess the effectiveness of UIC, we reuse the dataset we collected in Section 5.1 that contains real-world user utterances of context switches. We first manually label 550 conversations and determine whether each user utterance is for context switch or not, based on two experts’ reviews (Cohen’s kappa = 0.64). Since the dataset is dominated by non-context-switch utterances, we further balance it by randomly substituting some utterances to skill invocation utterances collected from skill markets. In total, we have collected 1,100 context-switch instances and 1,100 non-context-switch instances as ground truth.
Using the above features and dataset, we train a classifier that takes the user’s utterance as input and tells whether it is a system-related command for context switch or belongs to the conversation of the current skill. We train the classifier using different classification algorithms and 5-folder cross-validation. The results indicate that random forest achieves the best performance with a precision of 96.48%, a recall of 95.16%, and F-1 score of 95.82%. Evaluations on an unlabeled real-world dataset will be described in Section 5.3.
5.3 Overall Detector Evaluation
Next, we integrate the SRC and UIC into a holistic detector, which raises an alarm on suspicious user-skill interactions whenever SRC or UIC detects any anomaly.
Effectiveness against prototype attacks. To construct prototype attacks of VMA, we select another 10 popular skills from skill markets and log transcripts as a user with 61 utterances. We then manually craft skill switch attack instances (15 in total) by replacing selected utterances with the invocation utterances intended for the VPA system. We also launch faking termination attacks (10 in total) by substituting the last skill responses with empty responses or responses that mimicking those from the VPA system. By feeding all conversations to our detector, we find that all 25 attack instances are successfully detected.
Effectiveness on real-world conversations. We further investigate the effectiveness of our detector on the rest of real-world conversations which has not been used during training phase. Although it may not contain real faking termination attack instances, it does have many user utterances of context switches. Among them, 341 are identified by our classifier and 326 are verified manually to be indeed context switches, indicating that our detector (the UIC component) achieves a precision of 95.60%. We are not able to compute the recall due to a lack of ground truth on this unlabeled dataset. Further analysis of these instances reveals interesting cases. For example, we found cases where users thought they were talking to Alexa during interaction with our skills and ask our skills to report time, weather, news, to start another skill, and even to control other home automation devices (details shown in Appendix B).
Runtime performance. To understand how much performance overhead our detector incurs, we measure the detection latency introduced by our detector on a Macbook Pro with 4-core CPU. On average, the latency is negligible (0.003 ms in average), indicating the lightweight nature of our detection scheme.
6 Related Work
Security in voice-controlled systems. Diao et al.  and Jang et al.  demonstrate that malicious apps can inject voice commands to control smartphones. Kasmi et al.  applied electromagnetic interference on headphone cables and inject voice commands on smartphones. Hidden voice commands , Cocaine noodles  and Dolphin attacks  use obfuscated or inaudible voice command to attack speech recognition systems. Another line of research [35, 47, 19, 46] focused on securing voice controllable system through sensors on smartphones to authenticate the identity of users. All of the above works attacked and secured voice-controlled device itself while our work focuses on threats to end users caused by third-party skills.
Independent from our work, Kumar et al.  have also discovered the voice squatting attack where two invocation names could be pronounced similarly. They further conducted a measurement study to understand the problem. In our research, however, we also discovered that a paraphrased invocation name could hijack the voice command. In addition, we studied the voice masquerading attacks and implemented two techniques to mitigate the voice squatting and voice masquerading attacks.
IoT security. Current home automation security research focused on the security of IoT devices [24, 40, 38] and the appified IoT platforms [21, 22, 26, 42]. Ho et al.  discovered various vulnerabilities in commercialized smart locks. Ronen et al.  verified worm infection through ZigBee channel among IoT devices. Fernandes et al.  discovered a series of flaws on multi-device, appified SmartThings platform. FlowFence , ContextIot  and SmartAuth  mitigate threats of such IoT platforms by analyzing data flow or extracting context from third-party applications. In contrast, our work conducted the first security analysis on the VPA ecosystems.
Typosquatting and mobile phishing. Similar to our squatting attacks, Edelman is the first investigated domain typosquatting  and inspired a line of research [41, 28, 10, 33] towards measuring and mitigating such a threat. However, our work exploited the noisy voice channel and limitation of voice recognition techniques. On the other hand, mobile phishing has been intensively studied [14, 18, 20, 37, 39, 31]. Particularly, Chen et al.  and Fernandes et al.  investigate side-channel based identification of UI attack opportunities. Ren et al.  discovered task hijacking attacks that could be leveraged to implement UI spoofing. However, we discovered new attacks on the voice user interface which is very different from a graphic user interface in user perceptions.
In this paper, we report the first security analysis of popular VPA ecosystems and their vulnerability to two new attacks, VSA and VMA, through which a remote adversary could impersonate VPA systems or other skills to steal user private information. These attacks are found to pose a realistic threat to VPA IoT systems, as evidenced by a series of user studies and real-world attacks we performed. To mitigate the threat, we developed a skill-name scanner and ran it against Amazon and Google skill markets, which leads to the discovery of a large number of Alexa skills at risk and problematic skill names already published, indicating that the attacks might already happen to tens of millions of VPA users. Further we designed and implemented a context-sensitive detector to mitigate the voice masquerading threat, achieving a 95% precision.
With the importance of the findings reported by the study, we only made a first step towards fully understanding the security risks of VPA IoT systems and effectively mitigating such risks. Further research is needed to better protect the voice channel, authenticating the parties involved without undermining the usability of the VPA systems. To this end, we plan to release our real-world conversation dataset  to help future research in this direction.
-  Alexa skills top 25,000 in the u.s. as new launches slow. https://techcrunch.com/2017/12/15/alexa-skills-top-25000-in-the-u-s-as-new-launches-slow/.
-  Alexa voice service. https://developer.amazon.com/alexa-voice-service.
-  Amazon has 76% smart home speaker u.s. market share as echo unit sales reach 15m, new study finds. https://www.geekwire.com/2017/amazon-75-smart-home-speaker-u-s-market-share-echo-unit-sales-reach-15m-new-study-finds/.
-  Androidviewclient. https://github.com/dtmilano/AndroidViewClient/blob/master/README.md.
-  Arpabet. https://en.wikipedia.org/wiki/ARPABET.
-  The cmu pronouncing dictionary. http://www.speech.cs.cmu.edu/cgi-bin/cmudict.
-  Demo. https://sites.google.com/site/voicevpasec/.
-  Sleep and relaxation sounds. https://www.amazon.com/Voice-Apps-LLC-Relaxation-Sounds/dp/B06XBXR97N.
-  Ssml. https://www.w3.org/TR/speech-synthesis11/.
-  Agten, P., Joosen, W., Piessens, F., and Nikiforakis, N. Seven months’ worth of mistakes: A longitudinal study of typosquatting abuse. In Proceedings of the 22nd Network and Distributed System Security Symposium (NDSS 2015) (2015).
-  Bannard, C., and Callison-Burch, C. Paraphrasing with bilingual parallel corpora. In Proceedings of the 43rd Annual Meeting on Association for Computational Linguistics (2005), Association for Computational Linguistics, pp. 597–604.
-  Bowman, S. R., Angeli, G., Potts, C., and Manning, C. D. A large annotated corpus for learning natural language inference. In Proceedings of the 2015 Conference on Empirical Methods in Natural Language Processing (EMNLP) (2015), Association for Computational Linguistics.
-  Carlini, N., Mishra, P., Vaidya, T., Zhang, Y., Sherr, M., Shields, C., Wagner, D., and Zhou, W. Hidden voice commands. In 25th USENIX Security Symposium (USENIX Security 16) (Austin, TX, 2016), USENIX Association, pp. 513–530.
-  Chen, Q. A., Qian, Z., and Mao, Z. M. Peeking into your app without actually seeing it: UI state inference and novel android attacks. In 23rd USENIX Security Symposium (USENIX Security 14) (San Diego, CA, 2014).
-  Conneau, A., Kiela, D., Schwenk, H., Barrault, L., and Bordes, A. Supervised learning of universal sentence representations from natural language inference data. arXiv preprint arXiv:1705.02364 (2017).
-  Diao, W., Liu, X., Zhou, Z., and Zhang, K. Your voice assistant is mine: How to abuse speakers to steal information and control your phone. In Proceedings of the 4th ACM Workshop on Security and Privacy in Smartphones & Mobile Devices (2014).
-  Edelman, B. Large-scale registration of domains with typographical errors. https://cyber.harvard.edu/archived_content/people/edelman/typo-domains/, 2003.
-  Felt, A. P., and Wagner, D. Phishing on mobile devices. 2011.
-  Feng, H., Fawaz, K., and Shin, K. G. Continuous authentication for voice assistants. In Proceedings of the 23rd Annual International Conference on Mobile Computing and Networking (2017).
-  Fernandes, E., Chen, Q. A., Paupore, J., Essl, G., Halderman, J. A., Mao, Z. M., and Prakash, A. Android ui deception revisited: Attacks and defenses. In International Conference on Financial Cryptography and Data Security (2016), Springer, pp. 41–59.
-  Fernandes, E., Jung, J., and Prakash, A. Security analysis of emerging smart home applications. In 2016 IEEE Symposium on Security and Privacy (SP) (2016).
-  Fernandes, E., Paupore, J., Rahmati, A., Simionato, D., Conti, M., and Prakash, A. Flowfence: Practical data protection for emerging iot application frameworks. In 25th USENIX Security Symposium (USENIX Security 16) (Austin, TX, 2016).
-  Hixon, B., Schneider, E., and Epstein, S. L. Phonemic similarity metrics to compare pronunciation methods. In Twelfth Annual Conference of the International Speech Communication Association (2011).
-  Ho, G., Leung, D., Mishra, P., Hosseini, A., Song, D., and Wagner, D. Smart locks: Lessons for securing commodity internet of things devices. In Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security (2016).
-  Jang, Y., Song, C., Chung, S. P., Wang, T., and Lee, W. A11y attacks: Exploiting accessibility in operating systems. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security (2014).
-  Jia, Y. J., Chen, Q. A., Wang, S., Rahmati, A., Fernandes, E., Mao, Z. M., and Prakash, A. Contexlot: Towards providing contextual integrity to appified iot platforms. In 24th Annual Network and Distributed System Security Symposium, NDSS 2017, San Diego, California, USA, February 26 - March 1, 2017 (2017).
-  Kasmi, C., and Esteves, J. Iemi threats for information security: Remote command injection on modern smartphones.
-  Khan, M. T., Huo, X., Li, Z., and Kanich, C. Every second counts: Quantifying the negative externalities of cybercrime via typosquatting. In 2015 IEEE Symposium on Security and Privacy (2015).
-  Kumar, A., Gupta, A., Chan, J., Tucker, S., Hoffmeister, B., and Dreyer, M. Just ask: Building an architecture for extensible self-service spoken language understanding. arXiv preprint arXiv:1711.00549 (2017).
-  Kumar, D., Paccagnella, R., Murley, P., Hennenfent, E., Mason, J., Bates, A., and Bailey, M. Skill squatting attacks on amazon alexa. In 27th USENIX Security Symposium (USENIX Security 18) (Baltimore, MD, 2018), USENIX Association.
-  Li, T., Wang, X., Zha, M., Chen, K., Wang, X., Xing, L., Bai, X., Zhang, N., and Han, X. Unleashing the walking dead: Understanding cross-app remote infections on mobile webviews. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security (2017).
-  Mallinson, J., Sennrich, R., and Lapata, M. Paraphrasing revisited with neural machine translation. In Proceedings of the 15th Conference of the European Chapter of the Association for Computational Linguistics: Volume 1, Long Papers (2017), vol. 1, pp. 881–893.
-  Nikiforakis, N., Balduzzi, M., Desmet, L., Piessens, F., and Joosen, W. Soundsquatting: Uncovering the use of homophones in domain squatting. In Information Security (2014), S. S. M. Chow, J. Camenisch, L. C. K. Hui, and S. M. Yiu, Eds.
-  Pennington, J., Socher, R., and Manning, C. D. Glove: Global vectors for word representation. In Empirical Methods in Natural Language Processing (EMNLP) (2014), pp. 1532–1543.
-  Petracca, G., Sun, Y., Jaeger, T., and Atamli, A. Audroid: Preventing attacks on audio channels in mobile devices. In Proceedings of the 31st Annual Computer Security Applications Conference (2015).
-  Prakash, A., Hasan, S. A., Lee, K., Datla, V., Qadir, A., Liu, J., and Farri, O. Neural paraphrase generation with stacked residual lstm networks. arXiv preprint arXiv:1610.03098 (2016).
-  Ren, C., Zhang, Y., Xue, H., Wei, T., and Liu, P. Towards discovering and understanding task hijacking in android. In 24th USENIX Security Symposium (USENIX Security 15) (Washington, D.C., 2015).
-  Ronen, E., Shamir, A., Weingarten, A. O., and OâFlynn, C. Iot goes nuclear: Creating a zigbee chain reaction. In 2017 IEEE Symposium on Security and Privacy (SP) (2017).
-  Shahriar, H., Klintic, T., and Clincy, V. Mobile phishing attacks and mitigation techniques. Journal of Information Security 6, 03 (2015), 206.
-  Sikder, A. K., Aksu, H., and Uluagac, A. S. 6thsense: A context-aware sensor-based attack detector for smart devices. In 26th USENIX Security Symposium (USENIX Security 17) (Vancouver, BC, 2017).
-  Szurdi, J., Kocso, B., Cseh, G., Spring, J., Felegyhazi, M., and Kanich, C. The long “taile” of typosquatting domain names. In 23rd USENIX Security Symposium (USENIX Security 14) (San Diego, CA, 2014).
-  Tian, Y., Zhang, N., Lin, Y.-H., Wang, X., Ur, B., Guo, X., and Tague, P. Smartauth: User-centered authorization for the internet of things. In 26th USENIX Security Symposium (USENIX Security 17) (Vancouver, BC, 2017).
-  Vaidya, T., Zhang, Y., Sherr, M., and Shields, C. Cocaine noodles: Exploiting the gap between human and machine speech recognition. In 9th USENIX Workshop on Offensive Technologies (WOOT 15) (Washington, D.C., 2015).
-  Yao, K., and Zweig, G. Sequence-to-sequence neural net models for grapheme-to-phoneme conversion. arXiv preprint arXiv:1506.00196 (2015).
-  Zhang, G., Yan, C., Ji, X., Zhang, T., Zhang, T., and Xu, W. Dolphinattack: Inaudible voice commands. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security (New York, NY, USA, 2017), CCS ’17, ACM, pp. 103–117.
-  Zhang, L., Tan, S., and Yang, J. Hearing your voice is not enough: An articulatory gesture based liveness detection for voice authentication. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security (2017).
-  Zhang, L., Tan, S., Yang, J., and Chen, Y. Voicelive: A phoneme localization based liveness detection for voice authentication on smartphones. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security (2016).
Appendix A Sample Survey Questions
Have you added any words or phrases around skill name when invoking it (so that it sounds more naturally?) Choose all that apply.
Yes. Alexa, open Sleep Sounds please.
Yes. Alexa, open Sleep Sounds for me.
Yes. Alexa, open Sleep Sounds app.
Yes. Alexa, open my Sleep Sounds.
Yes. Alexa, open the Sleep Sounds.
Yes. Alexa, open some Sleep Sounds.
Yes. Alexa, tell me a Cat Facts.
Yes. other (please specify).
No. I only use simplest forms (e.g. “Alexa, open Sleep Sounds” ).
Please name two skills you use most often.
Please give three invocation examples you would use for each skills you listed above.
Have you ever invoked a skill you did not intend to?
Have you ever tried to invoke a skill during the interaction with another skill? (Except when you were listening to music)
Have you ever tried to turn up or turn down volume while interacting with a skill? (Except when you were listening to music)
What are the most frequent ways you have used to quit a skill? Please choose all that apply.
Alexa, shut up.
Alexa, never mind.
Alexa, forget it.
Other (please specify).
Have you ever experienced saying quit words (like the ones in the previous question) to a skill that you intended to quit but did not actually quit it?
Which indicator did you use most often to know that a conversation with Alexa is ended?
Alexa says “Goodbye”, “Have a good day” or something similar.
Alexa does not talk anymore.
The light on the device is off.
Other (please specify).
Appendix B Context switch Examples
Here, we show some interesting examples of context switches discovered by the detector (Section 5) in real world conversations collected by skills we published (see Section 3.4). The examples presented here are transcripts including user utterances and their prior skill responses.
Skill: Hello, welcome to soothing sleep sounds. Which sleep sound would you like today?
User utterances for context switch:
Switch off the TV.
What is the week’s forecast?
Show me the news.
Skill: Sorry, I do not understand. Which sound do you want today?
User utterances for context switch:
Turn off Bluetooth.
I meant walk back to the timer.
What’s the weather in Northridge?
What’s in the news?
Skill: Hello, welcome to my sleep sounds. Which sleep sound would you like today?
User utterances for context switch:
Tell me a quote.
What was the time?
Skill: Hello, welcome to incredible fast sleep. Which sleep sound would you like today?
User utterances for context switch:
What’s my flash briefing?