What developers need to know about an Alexa vulnerability

A security vulnerability was discovered in July 2019 that showed Amazon’s cloud servers contained voice recordings of Alexa interactions from customers. Furthermore, improper handling of records retained by Amazon, along with this Alexa vulnerability, could expose users’ private data to a potentially programming-savvy attacker.

All Alexa virtual assistants automatically transmit all recording data back to Amazon servers. The company saves storage space by retaining certain voice recordings and deleting others at any time. Amazon employees routinely listen to recordings to determine how well Alexa understands requests and improve the service. Recordings are linked with an account number and the user’s first name.

Amazon gives users the option to delete their interaction with Alexa, but doesn’t give them the option to prevent Amazon from retaining certain voice recordings. Indefinite record retention implies a lack of private data retention policy for Amazon’s servers. The company decides on the dates the records must be removed from its primary storage systems, not the consumer.

A similar security concern also exists in Alexa for Business. Developers use the service to build, test and deploy Jenkins code to the cloud. Just like the aforementioned Alexa vulnerability, developers can delete recordings on their end, but don’t have the option to control what records Amazon may retain.

Alexa for Business

Before you start with Alexa for Business, a developer will need to set up an Amazon Echo device or Alexa-enabled speaker. You can download the app to any smartphone or tablet with iOS 9.0 or higher, Android 6.0 or higher or Fire OS 3.0 or higher. If you want to download the app to a desktop computer, it will require a private Wi-Fi connection.

Alexa for Business allows the development team leader to control who has access to any part of a business application. Alexa devices can be shared for anyone to use in a conference room, or any other common areas in a workplace.

A tool included for Alexa for Business is the Alexa Skills Kit — the SDK that developers use to add skills to Alexa. The developer should build an Alexa skill portal with a voice-user interface and include a cloud service. The interface should understand user utterances and have a cloud service tell Alexa how to respond to a user’s request. Be aware that Alexa skills aren’t available on an intranet.

A custom Alexa skill can be hosted as an AWS Lambda platform that can be triggered by events, like when a user talks to Alexa. Developers can run the code in the cloud without a server to provision and manage services. However, AWS serverless security flaws could allow for an injection of malicious event data.

It’s important that you check for any possible Alexa vulnerabilities before you install any components of Alexa for Business in the cloud. Also, data privacy laws and record retention issues are two important areas to be aware of.