The Alexa Voice Service (AVS) enables device makers to integrate Alexa into a variety of products, from smartphones and smart speakers to home appliances and hearables. With the introduction of new voice-forward products, device makers need to consider how to secure their cloud-connected devices. In this blog post, we highlight three best practices that device makers must implement to improve the security of their products.

Implement Device Security Mechanisms

Most device manufacturers roll out regular software updates to add new features and keep customers’ devices secure. However,  cloud-connected devices are often plug-and-play – consumers tend to ‘set and forget’ such products and rarely check for updates on their own. We recommend that device makers implement secure software update mechanisms. Additionally, we recommend that device makers implement up-to-date security mechanisms such as using the latest Transport Layer Security (TLS) for session connections, prohibiting default passwords, validating all inputs before processing them in services, and applying all security patches to vulnerable open source software.

Create Robust Company Security Policies

While you can minimize vulnerabilities by hardening devices, it is important to also create robust company security policies. Examples of such policies include allowing security researchers to report security issues, conducting periodic software maintenance to update and patch known security vulnerabilities, and establishing security incident response procedures in case an incident does occur.

Perform Regular Security Assessments

It is important to have the right security expert within your company to establish secure design practices and perform security assessments on production devices. To help with this, the AVS team has identified security laboratories across the globe to provide device makers with an independent security assessment and help resolve any security related issues. Examples of these security labs include Bishop Fox, NCC Group, Underwriters Laboratories, and Onward Security.

A full list of security best practices can be found on the AVS Developer Portal. If you need to get in touch with any of the above laboratories or have any questions about security best practices for devices with Alexa 'Built-In', reach out to avs-security@amazon.com.