Should we Fear the Amazon Echo or Other Smart Speakers in our Home?
Author: Tim O’Connor
I am a cyber security professional and when I tell some of my peers that I have several Amazon Echo smart speakers in my home and workshop they sometimes look at me like I just said Edward Snowden was my roommate or that I just beamed in from the alternate universe where Spock has a beard. They immediately tell me that these smart speakers send recordings of my voice commands to the cloud. They tell me that such smart speakers could have software bugs allowing unintended sound to be sent to the cloud. They tell me that the commands I give to my smart speaker could be and are likely used by Amazon to profile me for marketing. All of these statements are, in fact, true.
After agreeing with my peers, I did not run home and toss my smart speakers in the bin. Though I did ask my Echo to add “write blog about smart speakers to my to-do list”.
It is right and good to be concerned about personal data leakage and profiling by smart speakers. I guess my “gripe” is with people that denounce the use of smart speakers but then turn around and use general apps on their smart phone, utilize “free” email accounts with Google, have “free” cloud systems accounts with DropBox or Microsoft and even social media accounts with default settings. As I type this, leaks and abuse of Facebook account data is all over the news.
Yes, it is a little spooky to talk to a cylinder in the kitchen about to-do lists, shopping, weather, the joke of the day and what will be made for dinner but, in my opinion, it is much spookier when Facebook or my Apple phone identifies me, my family members and even contacts I forgot I had with facial recognition software I never even turned on or installed.
In very general terms, I also tend to trust what I pay for over so called “free” services such as email, cloud accounts and social media accounts. Nothing is free and those services that are offered at “no cost” do indeed cost someone. Nearly all of the “free” internet related services I know of make money by some sort of customer profiling, typically in the form of sharing personal information.
Smart speakers are not the only threats to your personal information and I would argue they are not even at the top of the list when compared to social media, your smart phone and accounts made to get free services. Don’t forget that voice recognition software and digital assistants like Cortana or Siri are potentially much more information invasive then the current line of smart speakers. One of my mentors at work shared with me a story about a phone app he was evaluating that would help you stop snoring. The app listens to you sleep and then wakes you if you begin to snore. Our minds wondered for a bit as we pondered what other bedroom sounds might be getting streamed to the cloud.
Even if your technology does not talk to you or take photos, the potential information it can share about you is crazy. More than 70 percent of smartphone apps are reporting personal data to third-party tracking companies like Google Analytics, the Facebook Graph API or Crashlytics (1). Just paring your smartphone to your rental car could be a huge breach of information about yourself and your employer. IoT (Internet of Things) devices like your wireless “security” camera likely has no industry standard security code to keep it from being hacked.
Assuming you have ‘locked down’ all of your technology, tossed out your smart speakers and smart phone, and utilize encrypted email… is your personal information now secure? Chances are no, because if you use the internet at all, new laws allow your ISP to profile you based on your traffic patterns.
In my opinion, focusing on smart speaker data exposure is like complaining about a heavy dew during a tsunami.
I believe that such complaints are distracting and if you then rid yourself of your smart speaker perhaps you will gain a false sense of security and turn to using something even worse for those tasks, such as third party phone apps. I think it is a much better idea to understand the settings of your smart speaker. Have you configured it to only listen only to the audio you want it to? What are your “wake word” settings and what do you know about paired devices and third party skills?
Here are the basic settings you want to check if you own the Amazon Echo:
- Disable purchases or at least add a purchase pin code.
- Consider disabling the wake word follow up mode.
- Make sure your Amazon.com account is well secured with a good password and account settings.
- Your Echo uses encrypted communications but for this to work you need to make sure your home WiFi is also well secured.
- Make sure your “drop in” settings are off or set to household only.
- Turn off your smart speakers if you go on vacation. Someone could yell into your house to activate your speakers so think about when your speaker’s mic should be disabled.
- Echo skills are basically third party Apps so you want to think about what information a skill might share to a third party and keep skills to a minimum.
- Make a housecleaning check list and reminder for your Echo that includes weekly deleting of all recorded history (Under settings) and removing any skills that you do not use regularly.
For more information on Echo security settings or if you have the Google Assistant check out Symantec’s guide to smart speakers: https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/istr-security-voice-activated-smart-speakers-en.pdf
If you are concerned about personal and business information security I would strongly recommend educating yourself, your family and your fellow employees by taking some form of good Security Awareness training. Knowledge is power and Security Awareness is just that, being aware of how personal information is used by consumer and corporate products and making a reasonable decision on how to balance lifestyle and personal security.
Once you are armed with this Security Awareness information you not only know how to be a “smart shopper” when acquiring Apps and devices but you will also know what to do if someone tries to leverage your personal information against you.
Ok, repeat out loud with me “Alexa, add schedule Security Awareness Training to my To-do List”