Virtual assistants (VAs) have seen increased use in recent years due to their ease of use for daily tasks. Despite their growing prevalence, their security and privacy implications are still not well understood. To address this gap, we conducted a study to evaluate the security and privacy postures of eight widely used voice assistants: Alexa, Braina, Cortana, Google Assistant, Kalliope, Mycroft, Hound, and Extreme. We used three vulnerability testing tools, AndroBugs, RiskInDroid, and MobSF, to assess the security and privacy of these VAs. Our analysis focused on five areas: code, access control, tracking, binary analysis, and sensitive data confidentiality. The results revealed that these VAs are vulnerable to a range of security threats, including not validating SSL certificates, executing raw SQL queries, and using a weak mode of the AES algorithm. These vulnerabilities could allow malicious actors to gain unauthorized access to users' personal information. This study is a first step toward understanding the risks associated with these technologies and provides a foundation for future research to develop more secure and privacy-respecting VAs.

翻译：近年来，虚拟助手（VAs）因其在日常任务中的便捷性而得到广泛应用。尽管其普及程度日益提升，但其安全与隐私影响仍未被充分理解。为填补这一空白，我们开展了一项研究，评估八款广泛使用的语音助手——Alexa、Braina、Cortana、Google Assistant、Kalliope、Mycroft、Hound及Extreme——的安全与隐私态势。我们采用三款漏洞测试工具：AndroBugs、RiskInDroid和MobSF，来评估这些VAs的安全与隐私状况。分析聚焦于五个领域：代码、访问控制、追踪、二进制分析以及敏感数据机密性。结果显示，这些VAs易受一系列安全威胁的攻击，包括未能验证SSL证书、执行原始SQL查询以及使用AES算法的弱模式。这些漏洞可能使恶意行为者能够未经授权访问用户的个人信息。本研究是理解这些技术相关风险的第一步，并为未来开发更安全、更尊重隐私的VAs的研究奠定了基础。