Voice-activated, internet-connected personal assistants are all the rage these days. Ask a group of friends what they got for Christmas and at least one will tell you how much they love their new Amazon Echo, Google Home or some equivalent.
This piece of smart home technology is a beautiful thing. But like all good things, there are risks.
Tomorrow is Data Privacy Day, an appropriate time to review those risks – and what users can do to protect their sensitive information.
Your technology is listening
The main concern among security experts when it comes to smart home devices is the degree to which they are listening. They obviously listen for any commands the user might utter, but what else is it taking in, and how could that put privacy at risk?
A murder case in Arkansas makes for an interesting case study.
Arkansas police are hoping that an Amazon Echo found at a murder scene in Bentonville will help them with their investigation into the death of a man strangled in a hot tub.
The Echo answers to the name of Alexa and will play music and answer simple questions on voice command. It also records what you say and sends that recording to a server.
While Amazon’s smart assistant only records what’s said to it after it’s triggered by someone saying “Alexa”, police are hoping that the devices’ habit of piping up in response to a radio or TV might mean it inadvertently recorded something that might be of use to them.
But like other tech retailers, Amazon has resisted pressure to hand over this kind of customer information to law enforcement. Amazon stores voice recordings from the Echo on its servers to improve its services, but the Seattle-based company, which has apparently released the account details of the alleged attacker to police, has declined to provide the voice recordings they are seeking via a search warrant.
Though it remains unclear if this particular Echo recorded anything useful, the case raises a bigger question: with Echo/Alexa, Siri, Cortana and Google’s Home assistant in many homes these days, and knowing that some of the technology is listening and recording, who might be able to exploit that?
In this case law enforcement wants to access a device. But in the future, it may be hackers looking to have a listen.
Lessons from the Dyn attack
Personal assistants fit into the larger concept of the smart home, so it’s useful to look at threats that have already targeted Internet of Things (IoT) devices.
Security experts have long predicted threats targeting everyday home devices connected to the internet, and the threat was made plain last fall when Mirai malware was used to hijack internet-facing webcams and other devices into massive botnets that were then used to launch a coordinated assault against Dyn, one of several companies hosting the the Domain Name System (DNS). That attack crippled such major sites as Twitter, Paypal, Netflix and Reddit.
To be clear, that attack infected IoT devices and used them to target a company. It’s not the same as being snooped on, but in many cases the end goal is on the same wavelength: the bad guys want to see or hear what you have for personal data so they can use the information to benefit themselves or their cause.
A few short years ago, IoT attacks were discussed as some potential threat in a distant future. Now they are real. To some experts, it’s only a matter of time before hijacked personal assistants become a clear and present danger.
Defensive measures
Those who choose to use this technology can’t and shouldn’t expect 100% privacy. If not for the ability of Amazon Echo and Google Home to listen, these things would become nothing more than doorstoppers and paperweights.
But there are certainly things users can do to limit the risk of unintended consequences. Here are just a few examples:
- Not currently using your Echo? Mute it The mute/unmute button is right on top of the device. The “always listening” microphone will shut off until you’re ready to turn it back on.
- Don’t connect sensitive accounts to Echo On more than a few occasions, daisy chaining multiple accounts together has ended in tears for the user.
- Erase old recordings If you use an Echo, then surely you have an Amazon account. If you go on Amazon’s website and look under “Manage my device” there’s a handy dashboard where you can delete individual queries or clear the entire search history.
- Tighten those Google settings If you use Google Home, you’re already aware of the search giant’s appetite for data collection. But Google does offer tools to tighten things up. Like the Echo, Home has a mute button and a settings page online, where you can grant or take away various permissions.
Anonymous
I would be interested in your comments on the levels of access required to linked accounts – for example – Google home works bets when linked to a google account, but does it require “full access” or “basic Access”? What are the requirements for Amazon accounts?
Simon
“a handy dashboard where you can delete individual queries or clear the entire search history.”
Sure you can, sure you can…
I trust Amazon and Google as far as I can spit a rat not to be vacuuming up industrial volumes of personal data to exploit. It’s Google’s business model.
Mark Stockley
I suspect that the companies concerned have multiple opportunities to get at the data that matters to them anyway.
Amazon Echo is actually quite limited in what it will do and, in our house at least, it’s mostly used as a user interface for selecting music. Our voice recordings will amount to little more than “Play [song|album|artist]”. These voice commands are just triggers for code running on Amazon servers that interacts with Amazon’s other properties, like it’s music library.
Whether the raw audio recordings exist or not I imagine that Amazon has kept a separate history of what really matters to it: knowledge of which music library entries have been played by the account linked to the Echo.
Anonymous
Of course Google’s using your information. Any Google service will do that. If this is a problem to you then don’t keep Google Home in areas of the house where sensitive information is discussed. Google Home fits in with the Google ecosystem. It’s not like Google is getting any new control over your account, it owns your account! Even now, Google home can only really inform you about important information, not create information. These abilities were promised to be added when the voice recognition gets better. Google can’t make calendar entries, reminders, read or write texts, read or send emails, etc. These functionalities are to be added once Google can recognize your voice better and protect your information better.
Bob
Almost a year later, they can make calendar entries, reminders.
Glen Rivard
The problem for Alexa is the foundation difference. Google built theirs based on inference and NOT commands. So with Google Home you just talk naturally and say what you want. Wife can say it one way and I a completely different way and get the same result.
We have had the Echo since it was launched and now have several of the Google Homes. We keep the Echo in the kitchen and then Google Homes in our bedroom and then the kids have their in their bedrooms.
My fav feature right now is the ability to stay warm under the covers and control the TV. Just started working last week without me adding a skill or anything.
Actually wife discoverd when watching a movie and kid walked into our room. Not sure if she was joking as she now does in situation that Google Home is NOT available. So like sitting at a traffic light she will say “hey google change light green”. She said “hey google pause” and the movie paused. When kid left she said “hey google rewind” and it went back some set amount.
The Echo is a great piece of technology but the Google Home is just different as it seems to have more of a brain inside.
Ed
Lazy people who cannot get off their backside to do simple household tasks are now potentially surrendering their constitutional right to privacy? Stupid is as stupid does!
space2k
You think you have a “constitutional right to privacy”? Who’s the lazy one again?
Jenji
It actually is a human right – as declared by the United Nations under Article 12 the Universal Declaration of Human Rights.
The fact you don’t know that is mighty scary!
“Article 12.
No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.”
Richard Chandler-Jones
You’re correct space2k. We give up our ‘right’ to constitutional privacy when we’re born!
Nathaniel Jordan (@realnatej)
Call me a kook but there is no way I would put a device in my house that listens to every word. If you think that data is secure then you are bigger kook than me. The fact that they will not share it with law enforcement is even scarier. Think people. Google or Amazon owns every word spoken in your home?. What if you would be exonerated and found not guilty if you had these data files? Soooo, you’ll go to jail, even though there is proof of your innocence?
space2k
Interesting that others would say that sharing with law enforcement is actually the scary part.
Anonymous
“there is no way I would put a device in my house that listens to every word.” Do you own a mobile device or do you only use a landline? It is safer to assume that anything that is connected to the internet is likely recording/ collecting info in one way or another. You would have to take some pretty drastic steps in terms of eliminating tech to keep your info from being intercepted. The fact you are posting on here implies that you are probably already sharing info whether intentionally or not.
Anonymous
Anonymous, I believe you are correct
Some dude
Creepy. Gives me Orwellian vibes.
Alex
Weird question that you might be able to shed some light on:
Say I were living with two roommates and one of them decided to buy an amazon echo, would they need to gain permission of the other roommates for it to be used in the household? Since one roommate could be fully against the idea since they feel it invades privacy?
Is there any legal legitimacy to this, out of curiosity?
Anonymous
Not in the UK as they are not a public authority. Otherwise they would need to make an application under RIPA 2000.
Boogaloo
Sure everyone with a smart phone is already being listened to constantly. I don’t see the echo or home being any more invasive of privacy!
Anonymous
“To be clear, that attack infected IoT devices and used them to target a company. It’s not the same as being snooped on, but in many cases the end goal is on the same wavelength: the bad guys want to see or hear what you have for personal data so they can use the information to benefit themselves or their cause.”
I don’t understand how these are on the “same wavelength”. The Dyn attacks you described had nothing to do with the bad guys wanting to see your personal data. It was a commandeering of people’s devices to do something OTHER THAN spy on you, which they could have done but didn’t. Why didn’t they? Well what would they do with the info once they’ve stolen it?
“using the information to benefit themselves” requires a lot of effort. I think this example proves this info is of less value than people think. Google and Amazon, because of aggregation of massive amounts, are the only ones so far able to eek out some value.
Ryan
Maybe a new command should be introduced to Alexas repertoire.
“Alexa help I’m being murdered”
This could then ping the location and distress call to the local police department for quick dispatch
Paul Ducklin
…but in a case like this one (four people in the house, one murdered, the killer holding the other two hostage) that was not a hoax, who would sound the alarm?
And anyway, how would an IP number pinpoint the location? How often have you had those Facebook login warnings or their ilk say that you’re in another town, perhaps even somewhere you haven’t ever been in your life? (Last night my 2FA security software blithely insisted that I was in London – it specified a suburb, so there was nothing vague about this “fact” – when I was about 100km away in Oxfordshire.)
See, for example:
https://nakedsecurity.sophos.com/2013/01/18/the-man-who-steals-all-the-phones-in-las-vegas-pinpointed-precisely/
Mike Egenlauf
However, the amazon echo app has the option to enter in your home address, so in the case of echo it could use that address rather than IP to pinpoint where it is located.
andrewsalazar98
I can imagine explaining this function to someone whilst in the house and 10 minutes later the cops at my door.
Don Henry
How can I actually know if hitting the Mute button shuts off the microphone. Amazon might say it does but can they prove it? We may lose access to our recordings if we try to delete them but how can we be sure they were deleted? How do we know Google is actually honoring our permissions?
The only completely safe solution is to keep these things out of your home altogether. Yes, you may have to actually pull up a Web site to check the weather. It won’t kill you.
Orwellian Dream state.
As a none mobile phone owner, i seriously can’t believe people use these things. ‘Its great for staying in bed and keeping warm, It can control the TV’….called a remote control, most tvs have them. It can check the weather…. Again weather channel and remote control. The one thing it can do is listen to everything that is said. I’ve got a mate who works in aerospace, they have been specifically warned not to take smartphones past a certain point or discuss work at home due to these devices ‘listening capabilities’. A totally unnessercery device designed for the lazy. Oh well each to their own there will never be one in my house.
Cheri Cornelius
Echo.dot uses an app called “Smart Life” in order to connect all of our new smart plugs, lights and other accessories. I was just connecting mine. It says that when I create a “Smart Life” account, I agree they can do this, “We may collect your age, height, weight and gender. We may also collect other details you provide as part your profile such as your birthday, picture and SIGNATURE.” Why do they need my signature???? Further in the document it says “When you share content or send information to your family or friends, we may collect personal information of those people, such as their names, email addresses, telephone numbers, and mailing address. You hereby represent and warrant that you have obtained necessary consent for use of third parties’ personal data if you choose to provide them to us. When you share content or invite users to use TuyaSmart device, please note that other users may see personal data you share.” I think my echo.dots and accessories may be going back to amazon.
Mike Bakanas
If one of these devices is connected to my home network, what is the potential for it to be used for unauthorized access to computers attached to the network (e.g., NAS)?
Borkbork
If it connects to the internet it has data and data is farmed on a regular basis end of story.
Anonymous
Someone infiltrated my Echo Show and added Hitler and Get a Life to my to do list after I made conservative comments on either Amazon or a Social media site. It is kinda funny but wasn’t smart for them to bring attention to the vulnerability.
Anonymous
You all are Qwacks, thanks for the laughs…lol
Vulture-eye
Turn it all off…your mattress is listening! “But why will you say that I am mad?”