With the growing number of consumers choosing to add smart speakers to the devices within their home; attackers will likely begin to leverage this trend for their own nefarious purposes. Moreover, there has recently been an example of how these devices can inadvertently breach your privacy. Adding to this; security researchers have already demonstrated vulnerabilities showing that unintended actions are possible.
Researchers from Indiana University in Bloomington, the University of Virginia and the Chinese Academy of Sciences recently demonstrated the following vulnerabilities and their affects leading to Amazon and Google evaluating possible fixes or working on ways to mitigating them:
Scenario 1: Smart speaker has a 3rd party app “skill” installed which accepts an activation phrase (“Alexa” [follow by your choice of words]) very similar to other legitimate apps. It has the potential to hijack the connection
Scenario 2: Using a rogue skill; an attacker can eavesdrop on conversations and simulate returning control to a legitimate skill but instead carry on to gather further sensitive information from the user. Recent research carried out has had about 50% success with impersonating legitimate skills.
Scenario 3: Previous research back in April involved creating a skill that purposely fails to terminate after hearing the activation phrase
What steps can I take to make these attacks more difficult?
The advice below will not only make your device more secure but will also safeguard your privacy by ensuring data is not stored by the smart speaker vendor over a long period of time:
- Turning off their built-in microphone during sensitive conversations. Amazon Echo’s has a large mute button at the top of the device. This article details how to do this for Google Home. Apple’s HomePod takes another approach.
- Change the default activation phrase from “Alexa”. Google’s Home doesn’t yet have this capability but it is in progress. Apple’s HomePod doesn’t offer it currently either.
- Deleting existing voice history or purchases made: Here’s how for Amazon Echo and Google Home
- Disabling the Amazon Echo’s Drop In feature which turns the Echo’s/Dots into intercoms or reviewing who has access to this feature and removing unwanted contacts.
- Disabling the camera of the Amazon Echo Show
- Adding the option of using a PIN before purchases can be made with the Amazon Echo (be aware this offers little extra security if another person nearby can you hear you).
- Apple HomePod: [Recommended] Settings to Change
- Regularly check for an install updates for your devices:
Amazon Echo Devices:
Google Home Firmware Versions:
Update: 14th August 2019
Amazon have introduced a privacy setting to allow people to opt-out of their Amazon Echo “Alex” recording being reviewed by human listeners:
Accessible from “Settings”, click on the Alexa Privacy link, and choose “Manage How Your Data Improves Alexa”.
The following guide details how to delete past Amazon Echo recordings:
Apple HomePod List of Privacy Features