Know the risks of Amazon Alexa and Google Home

Voice-activated, internet-connected personal assistants are all the rage these days.  Ask a group of friends what they got for a recent birthday gift and at least one will tell you how much they love their new Amazon Echo, Google Home or some equivalent.

This piece of smart home technology is a beautiful thing. Like all good things, there are risks.

Your technology is listening

The main concern among security experts when it comes to smart home devices is the degree to which they are listening. They obviously listen for any commands the user might utter, but what else is it taking in, and how could that put privacy at risk?

A murder case in Arkansas makes for an interesting case study.

Arkansas police are hoping that an Amazon Echo found at a murder scene in Bentonville will help them with their investigation into the death of a man strangled in a hot tub.

The Echo answers to the name of Alexa and will play music and answer simple questions on voice command. It also records what you say and sends that recording to a server.

While Amazon’s smart assistant only records what’s said to it after it’s triggered by someone saying “Alexa”, police are hoping that the devices’ habit of piping up in response to a radio or TV might mean it inadvertently recorded something that might be of use to them.

Like other tech retailers, Amazon has resisted pressure to hand over this kind of customer information to law enforcement. Amazon stores voice recordings from the Echo on its servers to improve its services, but the Seattle-based company, which has apparently released the account details of the alleged attacker to police, has declined to provide the voice recordings they are seeking via a search warrant.

Though it remains unclear if this particular Echo recorded anything useful, the case raises a bigger question: with Echo/Alexa, Siri, Cortana and Google’s Home assistant in many homes these days, and knowing that some of the technology is listening and recording, who might be able to exploit that?

In this case law enforcement wants to access a device. But in the future, it may be hackers looking to have a listen.

Lessons from the Dyn attack

Personal assistants fit into the larger concept of the smart home, so it’s useful to look at threats that have already targeted Internet of Things (IoT) devices.

Security experts have long predicted threats targeting everyday home devices connected to the internet, and the threat was made plain last fall when Mirai malware was used to hijack internet-facing webcams and other devices into massive botnets that were then used to launch a coordinated assault against Dyn, one of several companies hosting the the Domain Name System (DNS). That attack crippled such major sites as Twitter, Paypal, Netflix and Reddit.

To be clear, that attack infected IoT devices and used them to target a company. It’s not the same as being snooped on, but in many cases the end goal is on the same wavelength: the bad guys want to see or hear what you have for personal data so they can use the information to benefit themselves or their cause.

A few short years ago, IoT attacks were discussed as some potential threat in a distant future. Now they are real. To some experts, it’s only a matter of time before hijacked personal assistants become a clear and present danger.

Defensive measures

Those who choose to use this technology can’t and shouldn’t expect 100% privacy. If not for the ability of Amazon Echo and Google Home to listen, these things would become nothing more than doorstoppers and paperweights.

There are certainly things users can do to limit the risk of unintended consequences. Here are just a few examples:

• Not currently using your Echo? Mute it The mute/unmute button is right on top of the device. The “always listening” microphone will shut off until you’re ready to turn it back on.
• Don’t connect sensitive accounts to Echo On more than a few occasions,  daisy chaining multiple accounts together has ended in tears for the user.
• Erase old recordings If you use an Echo, then surely you have an Amazon account. If you go on Amazon’s website and look under “Manage my device” there’s a handy dashboard where you can delete individual queries or clear the entire search history.
• Tighten those Google settings If you use Google Home, you’re already aware of the search giant’s appetite for data collection. But Google does offer tools to tighten things up. Like the Echo, Home has a mute button and a settings page online, where you can grant or take away various permissions.