In this post I am going to give you a little bit of fear. Just enough to make you aware of the dangers of virtual voice assistants like “Alexa” but I’m also going to take it away by explaining how to configure them to make them more secure during use.
In 2017 in Dallas, Texas, a girl as young as six years old took advantage of an oversight by her parents to buy a dollhouse and almost two kilos of cookies through the smart speaker: Amazon Echo. Shortly after, a presenter of the CW6 channel commented on the news: “I love the little girl saying ‘Alexa asked me for a dollhouse'” and, following the news hundreds of Amazon Echo owners, who were watching TV at the time, repeated the same order.?
That same year, the characters of the South Park series carried out a similar massive attack and also got the owners of these smart speakers, through Alexa, to add to their Amazon cart several items and set an alarm at 7 am.
This today is still happening, many virtual assistants could receive their corresponding activation command via TV or radio and perform any action arbitrarily. And this is just one of the basic risks that we face today…?
The popularity of virtual voice assistants (VVAs) continues to grow. The most famous and currently present are Google Now, Apple Siri, Amazon Alexa, Samsung S Voice and Microsoft Cortana.
There are currently more than one billion devices with speech recognition worldwide and we are not only talking about dedicated devices, but also about phones, televisions, vehicles, wireless headsets, home appliances…. all of them with the adjective “intelligent” that are integrated or included in a speaker with automatic speech recognition or ASR (Automatic Speech Recognition) and natural language understanding or NLU (Natural Language Understanding) that are the bridge to our virtual assistant that can do more and more things as the Internet of Things (IoT) is penetrating to the foundations of our society.
In the United States, one in five households already has a smart speaker and, a study by Juniper Research claims that by 2023 there will be more than 8 billion voice assistants in the world and that by 2024 there will be more devices with voice assistants than people.
☄️ Obviously, such proliferation is not unknown to cybercriminals, who are targeting these voice assistants as one of their main objectives as they acquire more capabilities. From making direct purchases to home automation tasks such as controlling the light or temperature in a room and many other functions such as checking bank statements.
On the other hand, they are also not exempt from controversy in terms of privacy as there are constant reports of data collection. For example, Google Assistant technology was recently reported for listening to users’ conversations even without being voluntarily activated. With all this, of course, we should take their safety seriously, shouldn’t we?
What are the main risks we face?
? We can summarize the main risks that consumers face in two main blocks: access to sensitive information and unauthorized use or control.
Risk 1: Access to sensitive information
Speaking of the first and concerning privacy, if a speaker is waiting for us to “summon” it is because it is constantly listening and recording information. Even if we are very restrictive with the configuration we are not certain how safe our history can be. What would happen if I am in an office with a client and one of those speakers listens to the conversation and sends it to the cloud? And it’s not just our conversations, assistants often handle personal information such as credentials to access multiple services. Can you imagine what this safeguard means to any cybercriminal?
Risk 2: Unauthorized use
On the other hand, that a message from the outside could open an automated garage door or deactivate an alarm is not a pipe dream. Ultrasonic attacks have even been developed that send commands to the assistant imperceptibly to the human ear, the so-called Dolphin attack. ?
Not only is there a risk that an attacker can compromise our online accounts, but often assistants transcend into the physical world by managing multiple devices in our home. Even the integrity of people is at risk if an attacker can get to control our assistants and other devices.
8 + 5 general measures to be more secure with our virtual assistant:
The recommendations to properly use these devices are often common sense, especially making an effort to review the privacy policy and know all the configuration options provided by the voice assistant and the devices it governs. As far as possible try to:
- Configure the assistant to recognize only your voice or the voice of the person you want
- Change the default activation phrase word
- Disable functions that are not being used, both in the assistant and in the connected devices
- Set a password to access personal data and direct purchase services
- When available,use a second authentication factor
- Modify or hide the actual location of the device
- Delete searches and orders on a regular basis
- Keep software and firmware up to date
And of course, keep in mind some general and environmental guidelines:
- Turn off the device when we are not using it or, at least, disable the microphone
- Do not broadcast on social networks the brand of the device or its geolocation
- Use secure passwords for all our accounts
- Connect the device only to secure Wi-Fi networks and improve the security of our network from the router settings
- Review interconnected smart devices because they may have vulnerabilities or insufficient security measures
It should also be noted that on July 7, 2021, the European Data Protection Board (EDPC) adopted Guidelines 02/2021 on virtual voice assistants, which aim to provide guidance and guidelines on the practical application of the General Data Protection Regulation (GDPR) in the context of voice assistants in such a way that they best ensure the protection of their users’ personal data and privacy.
Countermeasures specific to each assistant
Finally, talking about the options of each assistant individually would make this article too long but at least I wanted to put some links so that those of you who have not yet done so, you can begin to delve into the particularities of those you have at home. So to conclude I leave you some official references to the main manufacturers currently available:
? I hope this article serves to draw the attention of all those who did not yet have that security awareness for their devices and voice assistants and to encourage all of you to improve it.
Any comments, recommendations or feedback is welcome, “Alexa, keep us safe”.
Santander Global T&O is the global company, part of Santander Group with more than 2,000 employees and based in Madrid, we work to make Santander an open platform for financial services.
Check out the positions we have open here to join this great team and Be Tech! with Santander ?
Follow us on LinkedIn and Instagram.
Vicente Motos
Santander Global T&O
Currently working in the Santander Threat Response department focused on tactical intelligence, threat analysis and engineering. Self-taught and passionate about computer in-security and hacking for many years, I actively participate in the community and author of many technical posts.
