Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
41 tokens/sec
GPT-4o
59 tokens/sec
Gemini 2.5 Pro Pro
41 tokens/sec
o3 Pro
7 tokens/sec
GPT-4.1 Pro
50 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

Evaluating the Security and Privacy Risk Postures of Virtual Assistants (2312.14633v1)

Published 22 Dec 2023 in cs.CR and cs.SE

Abstract: Virtual assistants (VAs) have seen increased use in recent years due to their ease of use for daily tasks. Despite their growing prevalence, their security and privacy implications are still not well understood. To address this gap, we conducted a study to evaluate the security and privacy postures of eight widely used voice assistants: Alexa, Braina, Cortana, Google Assistant, Kalliope, Mycroft, Hound, and Extreme. We used three vulnerability testing tools, AndroBugs, RiskInDroid, and MobSF, to assess the security and privacy of these VAs. Our analysis focused on five areas: code, access control, tracking, binary analysis, and sensitive data confidentiality. The results revealed that these VAs are vulnerable to a range of security threats, including not validating SSL certificates, executing raw SQL queries, and using a weak mode of the AES algorithm. These vulnerabilities could allow malicious actors to gain unauthorized access to users' personal information. This study is a first step toward understanding the risks associated with these technologies and provides a foundation for future research to develop more secure and privacy-respecting VAs.

PDF HTML Abstract
Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Bookmark Chat Bubble Oval Streamline Icon: https://streamlinehq.com Chat (Pro)
Definition Search Book Streamline Icon: https://streamlinehq.com
References (43)
  1. Abraham, A. (2023). Mobsf/mobile-security-framework-mobsf. https://github.com/MobSF/Mobile-Security-Framework-MobSF.
  2. Monkey says, monkey does: security and privacy on voice assistants. IEEE Access, 5:17841–17851.
  3. Assessing security and privacy insights for smart home users. In ICISSP, pages 592–599.
  4. Security in the software development lifecycle. In Fourteenth symposium on usable privacy and security (SOUPS 2018), pages 281–296.
  5. On the security and privacy challenges of virtual assistants. Sensors, 21(7):2312.
  6. “alexa, write an audit opinion”: Adopting intelligent virtual assistants in accounting workplaces. Journal of Emerging Technologies in Accounting, 16(1):81–92.
  7. Toward a unified metadata schema for ecological momentary assessment with voice-first virtual assistants. In Proceedings of the 3rd Conference on Conversational User Interfaces, pages 1–6.
  8. Personal voice assistant security and privacy—a survey. Proceedings of the IEEE, 110(4):476–507.
  9. Why johnny doesn’t use two factor a two-phase usability study of the fido u2f security key. In Financial Cryptography and Data Security: 22nd International Conference, FC 2018, Nieuwpoort, Curaçao, February 26–March 2, 2018, Revised Selected Papers 22, pages 160–179. Springer.
  10. Non-inclusive online security: older adults’ experience with two-factor authentication. In Proceedings of the 54th Hawaii International Conference on System Sciences.
  11. Developers, A. (2023). Intents and intent filters  —  Android Developers — developer.android.com. https://developer.android.com/guide/components/intents-filters. [Accessed 26-10-2023].
  12. Is someone listening? audio-related privacy perceptions and design recommendations from guardians, pragmatists, and cynics. Proceedings of the ACM on Interactive, Mobile, Wearable and Ubiquitous Technologies, 5(3):1–23.
  13. Accident detection and smart rescue system using android smartphone with real-time location tracking. International Journal of Advanced Computer Science and Applications 9 no.
  14. Georgiu, G. C. (2023). Claudiugeorgiu/riskindroid. https://github.com/ClaudiuGeorgiu/RiskInDroid.
  15. Guzman, A. L. (2019). Voices in and of the machine: Source orientation toward mobile virtual assistants. Computers in Human Behavior, 90:343–350.
  16. GVS, C. (2023). Binary code analysis vs source code analysis. https://www.appknox.com/blog/binary-code-analysis-vs-source-code-analysis.
  17. Making iot worthy of human trust. In TPRC47: The 47th Research Conference on Communication, Information and Internet Policy.
  18. The right to be forgotten and educational data mining: Challenges and paths forward. International Educational Data Mining Society.
  19. Multi-factor authentication application assessment: Risk assessment of expert-recommended mfa mobile applications. Proceeding of the Who Are You.
  20. Mva: The multimodal virtual assistant. In Proceedings of the 15th Annual Meeting of the Special Interest Group on Discourse and Dialogue (SIGDIAL), pages 257–259.
  21. Investigating users’ privacy concerns of internet of things (iot) smart devices. In 2022 IEEE 4th Eurasia Conference on IOT, Communication and Engineering (ECICE), pages 70–76. IEEE.
  22. Smart home with virtual assistant using raspberry pi. In 2019 9th International Conference on Cloud Computing, Data Science & Engineering (Confluence), pages 576–579. IEEE.
  23. A fait accompli? an empirical study into the absence of consent to {{\{{Third-Party}}\}} tracking in android apps. In Seventeenth Symposium on Usable Privacy and Security (SOUPS 2021), pages 181–196.
  24. Labs, W. (2013). WebView addJavascriptInterface Remote Code Execution — labs.withsecure.com. https://labs.withsecure.com/publications/webview-addjavascriptinterface-remote-code-execution. [Accessed 26-10-2023].
  25. Vulnerable implicit service: A revisit. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, pages 1051–1063.
  26. The insecurity of home digital voice assistants-vulnerabilities, attacks and countermeasures. In 2018 IEEE conference on communications and network security (CNS), pages 1–9. IEEE.
  27. Measuring the effectiveness of privacy policies for voice assistant applications. In Annual Computer Security Applications Conference, pages 856–869.
  28. Lin, Y.-C. (2023). Androbugs/androbugs_framework. https://github.com/AndroBugs.
  29. MITRE (2023). CWE - CWE-297: Improper Validation of Certificate with Host Mismatch (4.13) — cwe.mitre.org. https://cwe.mitre.org/data/definitions/297.html. [Accessed 26-10-2023].
  30. Modhave, S. (2019). A survey on virtual personal assistant. International Journal for Research in Applied Science and Engineering Technology, 7(12):305–309.
  31. On the data privacy, security, and risk postures of iot mobile companion apps. In IFIP Annual Conference on Data and Applications Security and Privacy, pages 162–182. Springer.
  32. NIST (2013). Nvd - cve-2013-6271. https://nvd.nist.gov/vuln/detail/CVE-2013-6271. Accessed on October 27, 2023.
  33. Intent-aware permission architecture: A model for rethinking informed consent for android apps [intent-aware permission architecture: A model for rethinking informed consent for android apps]. ICISSP 2022.
  34. Industrial virtual assistants: Challenges and opportunities. In Proceedings of the 2018 ACM International Joint Conference and 2018 International Symposium on Pervasive and Ubiquitous Computing and Wearable Computers, pages 794–801.
  35. Content provider leakage vulnerability detection in android applications. In Proceedings of the 7th International Conference on Security of Information and Networks, pages 359–366.
  36. Smart home voice assistants: a literature survey of user privacy and security vulnerabilities. Complex Systems Informatics and Modeling Quarterly, 1(24):15–30.
  37. Exploiting security and privacy issues in human-iot interaction through the virtual assistant technology in amazon alexa. In International Conference on Intelligent Human Computer Interaction, pages 386–395. Springer.
  38. Privacy by design permission system for mobile applications. In The Sixth International Conferences on Pervasive Patterns and Applications, PATTERNS.
  39. Poster: Towards secure execution of untrusted code for mobile edge-clouds. ACM WiSec.
  40. The influence of the informal social learning environment on information privacy policy compliance efficacy and intention. European Journal of Information Systems, 20(3):267–284.
  41. Warren, T. (2023). Using cortana on ios or android. https://www.theverge.com/2021/4/1/22361687/microsoft-cortana-shut-down-ios-android-mobile-app. Cortana’s support on mobile ended on March 31, 2021.
  42. Log4shell: Rce 0-day exploit found in log4j, a popular java logging package — lunatrace.
  43. Scrutinizing privacy policy compliance of virtual personal assistant apps. In 37th IEEE/ACM International Conference on Automated Software Engineering, pages 1–13.
User Edit Pencil Streamline Icon: https://streamlinehq.com
Authors (2)
  1. Borna Kalhor (1 paper)
  2. Sanchari Das (34 papers)