A blog series on the risks associated with using “Internet of Things” smart devices: phones, cars, webcams and voice control devices like Amazon Echo and Google Home.
What’s can go wrong if I get an Amazon Echo or a similar voice command device?
Continuing on the potential dangers of Alexa, in this article we take an in-depth look at Alexa. Alexa is an amazing device, bringing some stunning capabilities and a multitude of possibilities to our homes. With these amazing capabilities, however, there comes a certain level of risk. Be mindful of where you place a voice control device; the device shouldn’t be in view from a window.
Alexa can pick out its wake word even when another noise is present or the wake word is faint. This is because both Echo and Echo Dot have seven microphones. “Standing on the street and shouting ‘Alexa – play some Slayer’ through our front window resulted in a pretty horrendous din back on the inside.” Remember, Alexa and other voice control systems don’t recognize voices yet, so anyone can say (or yell) the wake word.
Amazon showing deference to Star Trek
Alexa has a very limited number of different wake words. The wake word doesn’t provide any protection from “unauthorized use”. Until recently, three possible wake words were available: (the default) “Alexa”, “Amazon” and “Echo”. Recently, in a nod to Star Trek fans and the famous TV and movie series, Amazon added the word “computer” (DailyMail UK publication).
According to Prof. Joon Park: “As a security researcher, I would just like to add that one of the most common/significant vulnerabilities in voice-activated devices, including Echo and Apple/Google devices, would be their default wake-up command. For instance, anybody can activate the Echo services by simply saying “Alexa…” This can be done remotely by sending a voice file as an email attachment. Furthermore, “Play Time” can activate the target device. Even when nobody is around in the target area. Once it is activated, the attacker can do so many things with the device…’.
While it may only be annoying if someone plays music on your Echo, there are many other potentially more nefarious things that can happen. The Alexa ecosystem continues to grow rapidly, and there are several home monitoring and security devices which can be integrated with Alexa today including NEST products, Scout Security Inc. and integration with ADT Home Security service. ADT Home Security service customers will be able to arm and disarm their systems via Alexa.
What about Security Issues?
Someone could, in theory, walk up to your home, yell the wake word and some other commands to disarm the security system and or unlock the door and, voila! This seems to be the biggest potential threat currently. That scenario is possible at this point, where the attacker could gain access to a voice control device from outside and then potentially disarm the security system.
Some smart locks may allow locking and unlocking via Alexa skills. “Entry lock manufacturers Kwikset, Schlage, and Yale have announced new Alexa skills that enable you to control some models of their entry locks via voice commands directed at Alexa-enabled products.” (Michael Brown -TechHive) Other products, however, like the August Smart Lock (2nd Gen) system do not allow the device to lock or unlock via Alexa skills due to security concerns, but you can check the status. (Reviewed.com)
What Can You Do About it?
Consider muting the mic when you are not going to be home (button on the top of the device). Also, consider enabling notification sounds which can be done in the Amazon Alexa companion app; “The benefit of this notification sound is immediate feedback in case the assistant gets triggered by accident.”
Also, you can check your history of all voice interactions with your Amazon account. Consider monitoring the voice control device like you would any other computing device, checking logs and usage history looking for anomalies. Finally, don’t integrate your smart locks with Alexa.
The Alexa ecosystem is changing rapidly, with new skills emerging at a rapid pace. The APIs developed by Amazon and discussed in the first article make these new skills possible. Diverse uses including an e-mail assistant, advanced smartphone control, vehicle, expense and time trackers.
Another Alexa “skill” makes it possible for you to ask Alexa to check or schedule appointments on your calendar. Simply ask Alexa to enable the FreeBusy Scheduling Assistant which works with a wide variety of calendars. “(Google, Office 365, Outlook and corporate Exchange, iCloud, Outlook.com, Yahoo, Zimbra, etc.)”. Any of these Alexa skills could theoretically be useful in some way to compromise an individual’s security or private information.