Smart Speaker Data Leaks

Amazon Alexa, Apple Siri and Google Assistant all offer voice activated assistance.  Similar technology such as the Ring doorbell also include cameras so can not only hear but see what is going on around them. None of them are expressly designed for business security.  They are unlikely to crop up in the traditional office but with many people working from home they may pick up confidential information.  A segment of a conversation might be interpreted as a command to send an email, upload a file or make a purchase.  The device will acknowledge this but that response might not be overheard and in the case of a data transfer would be impossible to reverse.

This risk can be reduced by ensuring that any device is not near the part of the home (or office) where any such information may be overheard.  The sensitivity of the device microphone can also be adjusted to restrict where the device is active.  In all devices the microphone can be turned off completely; either through a button or a voice command.  Of course the only way to turn listening back on will be by a button and that defies the purpose of having it always on and ready to receive commands.  The ultimate approach would be to turn the device off.  Some such as the Amazon Echo Dot have no power button and the only way to be absolutely sure that they are not listening in would be to unplug from the power source.

The ‘smart’ devices can and probably will collect data from conversations with their owners.  This is ostensibly to tweak the system, making it better at recognising commands and providing more useful responses.   It will certainly go towards work on the underlying AI response system.  Although this is far from the depth of ChatGPT type models the system operators will be working towards that goal.  In May 2023 the Federal Trade Commission fined Amazon $30.8 million and ordered them to pay $5.8 million in customer refunds for Alexa and Ring security violations between January 2019 and March 2020.  Of particular concern was the collection and access to data concerning children.

The data collectors will also be looking to the value of what they gather in as a  means to further monetise their services.  This may not necessarily be the makers of the devices themselves.  The various 3rd party apps without which the system services would be very limited will all be looking to collect their own user data.  Some information such as the voice history (used to optimise responses to the customer) can be deleted through voice commands.  The user will be trading a possible drop in performance with an increase in personal security.

There will also be a means to permanently opt-in or out of what is collected and retained by the various remote services. As this is generally a more complex decision tree than simply installing a service (a simple yes or no would be too easy) then these settings tend to be in the software interface accessed when connecting to administer the device. They will vary with the software version in use.  ‘ConsumerReports’ publish a guideline on where to start with privacy settings.

Any device software should always be kept up to date.  This will not only aid functionality but will implement any security measures the manufacturers have had to release following legal challenges or software investigations.   Ethical hacker Matt Kunze claimed that Google paid him $107,500 for exposing a flaw in their Google Home Mini device.  The flaw was reported in April 2021 and has since been patched.  As long as the device is fulfilling its purpose and the manufacturer is supplying regular system updates there should be no need to replace with a more recent model.    If re-purposing an older model it should always be returned to factory settings before moving it on.  This should remove personal and connection data from its storage.  It will also remove any 3rd party software that a previous owner might have installed to hack the device for their own (just about) legal activities.

More from Security

04/12/2024

Sitting Duck Attacks

The Sitting Duck attack revolves around taking control of a domain and then using it to distribute malware or as a source for phishing …

Read post

25/11/2024

Developers Hit By Compromised Software Packages

A Typosquat campaign uses slight variations on well-known names to mislead a user to access a rogue rather than genuine asset.  It is well …

Read post

04/11/2024

UK Data (Use and Access) Bill

The Data (Use and Access) Bill had its first reading in the Lords on 23 October 2024.  This step is merely a formal introduction …

Read post

28/10/2024

Zero-Day Attacks

In October 2024 Google Mandiant reported on 138 exploited vulnerabilities since 2023.  They concluded there had been an increase in the number and speed …

Read post

Sign Up

Sign up to our newsletter list here.

    Successful sign up

    Thank you for signing up to our newsletter list.

    Check your inbox for all the latest information from Kindus

    Categories