- Smart speakers are not going to go away: During the first quarter of this year, Google shipped 3.2 million of its Google Home and Home Mini devices, while Amazon shipped 2.5 million Echos.
- Since the technology behind the Amazon Echo and Google Home is powered by AI, it stores command history to help make the device “smarter”.
Smart speakers such as the Amazon Echo have already shown themselves to be untrustworthy. Only a few months ago, reports emerged of the Amazon Alexa assistant letting out random bouts of sinister laughter. The always listening devices have also been accused of enabling snooping by law enforcement.
This week, public fear has ramped up a level after a US couple’s conversation was recorded and sent to an acquaintance without their knowledge. According to a KIRO 7 news report on Wednesday, the couple received a phone call from one of the husband’s employees, saying, “unplug your Alexa devices right now. You’re being hacked”.
Voice activated devices such as the Amazon Echo, Google Home and Apple HomePod are increasingly linked up to other systems. If hackers were able to manipulate this for example gaining access to someone’s central heating, the consequences could be devastating.
“Making devices, such as Alexa, responsible for important systems and controls around the house is concerning, especially when evidence emerges that it’s able to turn a simple mistake into a potentially serious consequence,” says Chris Boyd, malware analyst at Malwarebytes.
Since the technology behind the Amazon Echo and Google Home is powered by AI, it stores command history to help make the device “smarter”. That way, it can better respond to future commands, says David Emm, principal security researcher, Kaspersky Lab. But he points out: “While the reasoning behind storing your command data is sound, imagine what could go wrong if someone else could get access to that? Even if Amazon doesn’t do anything questionable with your Echo interactions, it does store them in the cloud, which isn’t totally hacker-proof. The Echo communicates via an internet connection through a home Wi-Fi network, which unless secure could potentially become compromised.”
It’s a concerning picture. Yet Amazon thinks the recent incident was a case of bad luck. According to a spokesperson: “Echo woke up due to a word in background conversation sounding like ‘Alexa’. Then, the subsequent conversation was heard as a ‘send message’ request. At which point, Alexa said out loud ‘To whom?’ At which point, the background conversation was interpreted as a name in the customer’s contact list. Alexa then asked out loud, ‘[contact name], right?’ Alexa then interpreted the background conversation as ‘right’. As unlikely as this string of events is, we are evaluating options to make this case even less likely.”
The company adds that Amazon “takes customer security seriously” and has “full teams dedicated to ensuring the safety and security of our products”. It also points out that Amazon has taken measures to make Echo secure such as disallowing third party application installation on the device, security reviews, secure software development requirements and encryption of communication between Echo, the Alexa App and Amazon servers.
But critics of the firm think it might not be doing enough to ensure security as it rushes to steal a lead over its competitors Google and Apple. Amazon is “perhaps a little guilty of putting ease of use over the privacy and security of its users”, Ed Macnair, CEO of cloud security company CensorNet suggests.
“It must sharpen up the effectiveness of the voice recognition and AI software used in the one second audio buffer. People also need to ask themselves how comfortable they are to be part of what is effectively a large scale proof of concept for a relatively new technology. It will improve over time as the technology is iterated, but at the moment it seems the relationship with the user is perhaps skewed in Amazon’s favour.”
And the vulnerabilities in smart speakers and voice assistants are already known. “If you want to know what the hacks of the future look like, look at the academic hacks of the present,” Charles Arthur, author of Cyber Wars, says. “Even last year, researchers were demonstrating ‘dolphin attacks’ against smart speakers and voice assistants: situations where the audio is distorted so that humans don’t hear anything, but the machine hears a command. Give it 20 years, and why wouldn’t that be as widespread as SQL injections or ransomware?”
The Amazon case saw people hack themselves unintentionally, but Arthur says the incident shows how easily a malicious and targeted cyber-attack could happen. “The real flaw here was the ability to send the audio file to a contact. That’s an obvious security weakness, which I think Amazon shouldn’t enable. It’s overkill: how many birthday messages does it seriously think people are going to send to their grandmother intentionally?”
But smart speakers are not going to go away: During the first quarter of this year, Google shipped 3.2 million of its Google Home and Home Mini devices, while Amazon shipped 2.5 million Echos. So how can consumers be as secure as possible while enjoying the convenience such devices offer? According to Arthur: “For most people, the two things they could do which would ramp up their security enormously are: Delete Adobe Flash Player and its hooks from your PC; and enable two-factor authentication on your email – and disable the Echo’s ability to send voice files.”
At the same time, says Dan Read, partner at UK law firm TLT: “Privacy is the watch word of the day as the GDPR comes into effect. Businesses must adopt the principles of privacy by design, but consumers also have some important lessons to learn. For example, most devices will have a mute button to stop it scanning for the wake word – or users are able to change their privacy and device settings to exclude access to location, contacts, voice purchasing and smart skills.”
Yet at a time when companies and individuals are being breached successfully every day – and hackers are constantly finding new ways to attack – caution is essential. Boyd says: “Placing everything from heating and home security, to fridge freezers and power usage under the control of smart hubs is a big step. I suspect some may be switching back from ‘smart’ to ‘stupid’ setups as we speak. I don’t believe our day-to-day experiences in the real world are quite ready for technology having this level of access and power over us just yet.”
Date: May 25, 2018