{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,1,2]],"date-time":"2026-01-02T07:45:29Z","timestamp":1767339929809,"version":"3.41.2"},"reference-count":31,"publisher":"Association for Computing Machinery (ACM)","issue":"1","license":[{"start":{"date-parts":[[2022,3,29]],"date-time":"2022-03-29T00:00:00Z","timestamp":1648512000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"DOI":"10.13039\/100000001","name":"NSF","doi-asserted-by":"publisher","award":["CNS-1838733,CNS-1942014,CNS-2003129"],"award-info":[{"award-number":["CNS-1838733,CNS-1942014,CNS-2003129"]}],"id":[{"id":"10.13039\/100000001","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/100000185","name":"Defense Advanced Research Projects Agency","doi-asserted-by":"publisher","award":["HR00112020008"],"award-info":[{"award-number":["HR00112020008"]}],"id":[{"id":"10.13039\/100000185","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["Proc. ACM Interact. Mob. Wearable Ubiquitous Technol."],"published-print":{"date-parts":[[2022,3,29]]},"abstract":"<jats:p>Voice assistants are deployed widely and provide useful functionality. However, recent work has shown that commercial systems like Amazon Alexa and Google Home are vulnerable to voice-based confusion attacks that exploit design issues. We propose a systems-oriented defense against this class of attacks and demonstrate its functionality for Amazon Alexa. We ensure that only the skills a user intends execute in response to voice commands. Our key insight is that we can interpret a user's intentions by analyzing their activity on counterpart systems of the web and smartphones. For example, the Lyft ride-sharing Alexa skill has an Android app and a website. Our work shows how information from counterpart apps can help reduce dis-ambiguities in the skill invocation process. We build SkilIFence, a browser extension that existing voice assistant users can install to ensure that only legitimate skills run in response to their commands. Using real user data from MTurk (N = 116) and experimental trials involving synthetic and organic speech, we show that SkillFence provides a balance between usability and security by securing 90.83% of skills that a user will need with a False acceptance rate of 19.83%.<\/jats:p>","DOI":"10.1145\/3517232","type":"journal-article","created":{"date-parts":[[2022,3,29]],"date-time":"2022-03-29T13:42:46Z","timestamp":1648561366000},"page":"1-26","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":4,"title":["SkillFence"],"prefix":"10.1145","volume":"6","author":[{"given":"Ashish","family":"Hooda","sequence":"first","affiliation":[{"name":"University of Wisconsin-Madison, Madison, Wisconsin, USA"}]},{"given":"Matthew","family":"Wallace","sequence":"additional","affiliation":[{"name":"University of Wisconsin-Madison, Madison, Wisconsin, USA"}]},{"given":"Kushal","family":"Jhunjhunwalla","sequence":"additional","affiliation":[{"name":"University of Washington, Seattle, Washington, USA"}]},{"given":"Earlence","family":"Fernandes","sequence":"additional","affiliation":[{"name":"University of Wisconsin-Madison, Madison, Wisconsin, USA"}]},{"given":"Kassem","family":"Fawaz","sequence":"additional","affiliation":[{"name":"University of Wisconsin-Madison, Madison, Wisconsin, USA"}]}],"member":"320","published-online":{"date-parts":[[2022,3,29]]},"reference":[{"volume-title":"Hidden Voice Commands. In 25th USENIX Security Symposium (USENIX Security 16)","author":"Carlini N.","key":"e_1_2_1_1_1","unstructured":"N. Carlini, P. Mishra, T. Vaidya, Y. Zhang, M. Sherr, C. Shields, D. Wagner, and W. Zhou. 2016. Hidden Voice Commands. In 25th USENIX Security Symposium (USENIX Security 16)."},{"key":"e_1_2_1_2_1","volume-title":"29th USENIX Security Symposium (USENIX Security 20)","author":"Chen Yuxuan","year":"2020","unstructured":"Yuxuan Chen, Xuejing Yuan, Jiangshan Zhang, Yue Zhao, Kai Zhang, Shengzhi Chen, and XiaoFeng Wang. 2020. Devil's Whisper: A General Approach for Physical Adversarial Attacks against Commercial Black-box Speech Recognition Devices. In 29th USENIX Security Symposium (USENIX Security 20)."},{"volume-title":"Proceedings of the 25th USENIX Security Symposium.","author":"Fernandes E.","key":"e_1_2_1_3_1","unstructured":"E. Fernandes, J. Paupore, A. Rahmati, D. Simionato, M. Conti, and A. Prakash. 2016. FlowFence: Practical Data Protection for Emerging IoT Application Frameworks. In Proceedings of the 25th USENIX Security Symposium."},{"key":"e_1_2_1_4_1","unstructured":"Dmitry Gerasimenko. 2010 (accessed 2020). Ahrefs. https:\/\/ahrefs.com"},{"key":"e_1_2_1_5_1","volume-title":"SkillExplorer: Understanding the Behavior of Skills in Large Scale. In 29th USENIX Security Symposium (USENIX Security 20)","author":"Guo Zhixiu","year":"2020","unstructured":"Zhixiu Guo, Zijin Lin, Pan Li, and Kai Chen. 2020. SkillExplorer: Understanding the Behavior of Skills in Large Scale. In 29th USENIX Security Symposium (USENIX Security 20). USENIX Association. https:\/\/www.usenix.org\/conference\/usenixsecurity20\/presentation\/guo"},{"key":"e_1_2_1_6_1","doi-asserted-by":"publisher","DOI":"10.1109\/SPW50608.2020.00029"},{"key":"e_1_2_1_7_1","unstructured":"Amazon Inc. [n.d.]. Alexa Skill Certification Guidelines. https:\/\/developer.amazon.com\/en-US\/docs\/alexa\/custom-skills\/certification-requirements-for-custom-skills.html."},{"key":"e_1_2_1_8_1","unstructured":"Amazon.com Inc. [n.d.]. Alexa Skills for Business and Finance. https:\/\/www.amazon.com\/Alexa-Skills-Business-Finance\/b?ie=UTF8&node=14284819011."},{"key":"e_1_2_1_9_1","unstructured":"BRET Kinsella. 2018. Should Amazon Alexa Stop Allowing Duplicate Invocation Names? Should Google Assistant Permit Them? https:\/\/voicebot.ai\/2018\/03\/26\/amazon-alexa-stop-allowing-duplicate-invocation-names-google-assistant-permit\/."},{"key":"e_1_2_1_10_1","volume-title":"Skill Squatting Attacks on Amazon Alexa. In 27th USENIX Security Symposium (USENIX Security 18)","author":"Kumar Deepak","year":"2018","unstructured":"Deepak Kumar, Riccardo Paccagnella, Paul Murley, Eric Hennenfent, Joshua Mason, Adam Bates, and Michael Bailey. 2018. Skill Squatting Attacks on Amazon Alexa. In 27th USENIX Security Symposium (USENIX Security 18). USENIX Association, Baltimore, MD, 33--47. https:\/\/www.usenix.org\/conference\/usenixsecurity18\/presentation\/kumar"},{"volume-title":"27th {USENIX} Security Symposium ({USENIX} Security 18). 33--47.","author":"Kumar Deepak","key":"e_1_2_1_11_1","unstructured":"Deepak Kumar, Riccardo Paccagnella, Paul Murley, Eric Hennenfent, Joshua Mason, Adam Bates, and Michael Bailey. 2018. Skill squatting attacks on Amazon Alexa. In 27th {USENIX} Security Symposium ({USENIX} Security 18). 33--47."},{"key":"e_1_2_1_12_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2021.23111"},{"key":"e_1_2_1_13_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2021.23111"},{"key":"e_1_2_1_14_1","doi-asserted-by":"publisher","DOI":"10.1145\/1451983.1451986"},{"key":"e_1_2_1_15_1","volume-title":"Marshini Chetty, and Nick Feamster.","author":"Major David J.","year":"2019","unstructured":"David J. Major, Danny Yuxing Huang, Marshini Chetty, and Nick Feamster. 2019. Alexa, Who Am I Speaking To? Understanding Users' Ability to Identify Third-Party Apps on Amazon Alexa. arXiv:1910.14112 [cs.HC]"},{"key":"e_1_2_1_16_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICASSP.2015.7178964"},{"key":"e_1_2_1_17_1","unstructured":"Paul Cutsinger. 2018. How to Improve Alexa Skill Discovery with Name-Free Interaction and More. https:\/\/developer.amazon.com\/blogs\/alexa\/post\/0fecdb38-97c9-48ac-953b-23814a469cfc\/skill-discovery."},{"key":"e_1_2_1_18_1","unstructured":"Ritik Singh. 2021. 7 Ways to Find If an App Is Fake or Real Before Installing It. https:\/\/gadgetstouse.com\/blog\/2021\/04\/19\/find-app-is-fake-or-real-before-installing\/."},{"key":"e_1_2_1_19_1","volume-title":"Inaudible Voice Commands: The Long-Range Attack and Defense. In 15th USENIX Symposium on Networked Systems Design and Implementation (NSDI 18)","author":"Roy Nirupam","year":"2018","unstructured":"Nirupam Roy, Sheng Shen, Haitham Hassanieh, and Romit Roy Choudhury. 2018. Inaudible Voice Commands: The Long-Range Attack and Defense. In 15th USENIX Symposium on Networked Systems Design and Implementation (NSDI 18). USENIX Association, Renton, WA, 547--560. https:\/\/www.usenix.org\/conference\/nsdi18\/presentation\/roy"},{"key":"e_1_2_1_20_1","doi-asserted-by":"publisher","DOI":"10.1145\/3366423.3380179"},{"key":"e_1_2_1_21_1","volume-title":"Light Commands: Laser-Based Audio Injection Attacks on Voice-Controllable Systems. In 29th USENIXS ecurity Symposium (USENIX Security 20).","author":"Sugawara Takeshi","year":"2020","unstructured":"Takeshi Sugawara, Benjamin Cyr, Sara Rampazzi, Daniel Genkin, and Kevin Fu. 2020. Light Commands: Laser-Based Audio Injection Attacks on Voice-Controllable Systems. In 29th USENIXS ecurity Symposium (USENIX Security 20)."},{"key":"e_1_2_1_22_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICDIM.2007.369352"},{"key":"e_1_2_1_23_1","unstructured":"Understand the Smart Home Skill API [n.d.]. Understand the Smart Home Skill API. https:\/\/developer.amazon.com\/en-US\/docs\/alexa\/smarthome\/understand-the-smart-home-skill-api.html."},{"volume-title":"9th { USENIX} Workshop on Offensive Technologies ({ WOOT} 15).","author":"Vaidya Tavish","key":"e_1_2_1_24_1","unstructured":"Tavish Vaidya, Yuankai Zhang, Micah Sherr, and Clay Shields. 2015. Cocaine noodles: exploiting the gap between human and machine speech recognition. In 9th { USENIX} Workshop on Offensive Technologies ({ WOOT} 15)."},{"key":"e_1_2_1_25_1","unstructured":"voicebot.ai. 2021. Alexa Skill Counts Surpass 80K in US Spain Adds the Most Skills New Skill Rate Falls Globally. https:\/\/voicebot.ai\/2021\/01\/14\/alexa-skill-counts-surpass-80k-in-us-spain-adds-the-most-skills-new-skill-introduction-rate-continues-to-fall-across-countries\/."},{"volume-title":"Proceedings of the 27th USENIX Conference on Security Symposium","author":"Yuan Xuejing","key":"e_1_2_1_26_1","unstructured":"Xuejing Yuan, Yuxuan Chen, Yue Zhao, Yunhui Long, Xiaokang Liu, Kai Chen, Shengzhi Zhang, Heqing Huang, XiaoFeng Wang, and Carl A. Gunter. 2018. Commandersong: A Systematic Approach for Practical Adversarial Voice Recognition. In Proceedings of the 27th USENIX Conference on Security Symposium (Baltimore, MD, USA) (SEC'18). USENIX Association, USA, 49--64."},{"key":"e_1_2_1_27_1","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3134052"},{"key":"e_1_2_1_28_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2019.00016"},{"key":"e_1_2_1_29_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2019.23525"},{"key":"e_1_2_1_30_1","doi-asserted-by":"crossref","unstructured":"Yangyong Zhang Lei Xu Abner Mendoza Guangliang Yang Phakpoom Chinprutthiwong and Guofei Gu. 2019. Life after Speech Recognition: Fuzzing Semantic Misinterpretation for Voice Assistant Applications.. In NDSS.","DOI":"10.14722\/ndss.2019.23525"},{"key":"e_1_2_1_31_1","doi-asserted-by":"publisher","DOI":"10.1109\/WI.2006.36"}],"container-title":["Proceedings of the ACM on Interactive, Mobile, Wearable and Ubiquitous Technologies"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3517232","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3517232","content-type":"application\/pdf","content-version":"vor","intended-application":"syndication"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3517232","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,7,14]],"date-time":"2025-07-14T04:27:08Z","timestamp":1752467228000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3517232"}},"subtitle":["A Systems Approach to Practically Mitigating Voice-Based Confusion Attacks"],"short-title":[],"issued":{"date-parts":[[2022,3,29]]},"references-count":31,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2022,3,29]]}},"alternative-id":["10.1145\/3517232"],"URL":"https:\/\/doi.org\/10.1145\/3517232","relation":{},"ISSN":["2474-9567"],"issn-type":[{"type":"electronic","value":"2474-9567"}],"subject":[],"published":{"date-parts":[[2022,3,29]]},"assertion":[{"value":"2022-03-29","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}