“Alexa, are you making me more vulnerable to cyber attack?”
7th August 2019
Following their recent event of the same name, cyber security experts Jules Farrow and Daniel Lewis of Awen Collective explain the risks of ‘smart’ technology and what you can do to mitigate them.
Perhaps you picked up a new Amazon Echo in the recent Prime Day sale? Or maybe you’re more fond of the Google Home smart speakers or Apple HomePod? Perhaps you use them to control your smart lightbulbs, view the video from your smart CCTV cameras, or even who’s ringing your smart doorbell. Maybe you can control your heating from anywhere in the world with your smart thermostat. Even if you’re not a fan of all those devices – it’s highly likely that the phone, tablet or computer you’re reading this blog on right now has the capability for you to speak to it through Siri, Cortana or Google Assistant. But have you ever considered whether they all might be making you more vulnerable?
All these devices and voice assistants store data about you – but do you know what they’re storing? How about how long it’s keeping that data? Whether the data is being stored personally identifies you, or is stored anonymously?
Often the concern here is that your phones (or other smart tech) are listening to you. There’s plenty of anecdotal evidence here, and everyone has a story of that time you mentioned something obscure to a friend over lunch, and next time you went on Facebook had something related advertised to you. Unfortunately, there’s very little in the way of technological evidence to support this idea – put simply, there’s way too much data to be filtering through to be listening into your conversations 24/7 for the purposes of selling you a new BMW – it wouldn’t be cost effective. Most people don’t realise how much of a ‘digital footprint’ they’re leaving behind whilst they’re using the internet, often making it very simple to predict products or service you may be interested in purchasing, and advertising them to you. TechRadar published a great article on this subject, amongst all the scare-mongering half-truths you often see from other media outlets.
So, if they’re not listening, what are Alexa, Google, Siri and Cortana recording? All these voice assistants are designed to be activated by a ‘trigger phrase’ – in this case, ‘Alexa’, ‘OK Google’, ‘Hey Siri’ and ‘Cortana’ respectively. These devices should only begin recording and transcribing your voice once you have said the trigger phrase. There are some examples of accidental triggers, and this is something all the providers are constantly working to improve and avoid. In fact, it’s the primary reason that all of them will keep both the voice recording and the transcription of what they believe you said – in order to continue training their software to improve the detection of trigger phrases, and the correct identification of the words you said.
The table below outlines the data stored by these voice assistants – in short, if you’re worried about protecting your privacy, your best of the bunch is Siri, and by far the worst is Cortana – you know, the one that’s by default installed and enabled on every Windows 10 computer…
As for other smart technology or ‘Internet of Things’ (IoT) devices, like lightbulbs, doorbells, pad/door locks, CCTV cameras, thermostats or even kettles, the risks continue to pile up. These devices are often built cheaply and very rarely have security at the forefront of their product development (despite Governmental efforts to promote a secure-by-design methodology). Personal risks to you as a user of an IoT device could include the availability of data which could indicate when you’re home (turning your lights on/off, un/locking your doors, changing your thermostat or even boiling your kettle), which if you’re using an Amazon or Google product to control them, would be tied directly to your personal information. If I were able to gain access to your Amazon account without your knowledge, not only would I be able to tell when you’re likely to be home, but also I’d have your name and address too. Not ideal!
Worse still could be the effect on society as a whole. Cheap IoT devices are often easily hacked remotely and at large scales, leading to an individual being able to control the actions of a large number of internet connected devices (known as a botnet). This could cause all sorts of problems, such as the recent use of the Mirai botnet (entirely comprised of CCTV DVR systems) to take down websites including Twitter and Facebook. Worse still, if devices like lightbulbs and thermostats were compromised, a botnet could potentially cause effects like spikes on the power or gas grid, potentially leading to widespread outages, not only for IoT users, but everyone else too.
So – what can you do? The National Cyber Security Centre of GCHQ has recently published a very handy guide on using smart devices safely in the home. To distil both their and our thoughts at Awen:
- Pay attention to the devices you’re buying; who makes them, and what is their record on cyber security?
- Set strong passwords, and never leave devices with default credentials enabled
- Keep your devices updated to the latest version
- Follow basic cyber hygiene – NCSC’s top tips for staying safe online
Perhaps you’re also running your own small business – NCSC also have advice for keeping your company secure and we’d certainly suggest you look to get your company Cyber Essentials approved – both for your own peace of mind, and your customers.
Do always remember – there’s always an inherent risk to introducing IoT devices into your life – is the convenience of being able to boil the kettle from bed really worth it?
If you’ve managed to read all the way to the end (congratulations & thank you!) and you’re still hungry for more IoT security fun/horror stories, I’d highly recommend watching Ken Munro of Pen Test Partners at a recent TEDx talk.
About: Awen Collective has been reducing the cost of cyber-threats to operators of industrial technology, including advanced manufacturing and critical national infrastructure since 2017. Awen has been based at Welsh ICE since December 2018.