What are the devices?
Smart speakers include voice assistants that can carry out tasks from your voice commands such as music playback, setting timers and alarms, providing real-time information such as news, weather, sports etc. and if you are more tech-savvy, voice assistants can even assist you in controlling your smart homes, such as turning on lights, central heating, and other electrical appliances. But is that all they are capable of?
Voice assistants have become increasingly popular since 2010 when Siri was published and then acquired by Apple. With the proliferation of voice-controlled devices, with more than 3 billion of these devices in use around the world, what should you be worried about? Are you being listened to? Is a TV advert going to buy something on your behalf? Where are your voice recordings stored? Can having a virtual voice assistant make your home network more vulnerable to attack? Read more to learn about how you can protect yourself against a potential silent attacker that’s listening to your every word.
How do they work?
The way voice assistants like Alexa work is by having always-listening microphones, using voice recognition to detect a “wake word”, which then starts recording your voice commands to be sent to the Alexa service for automated processing of what you said. That’s why you always need an internet connection for them to work.
You can set what the “wake word” is – the default is simply “Alexa”, but you can also choose it to be “Amazon” or “Computer”. There are no other choices for the wake word, so that means the recognition of it is being done by the Amazon Alexa devices themselves.
Is Alexa Listening?
Given that Alexa is always listening on the smart speaker such as an Echo or Dot, there is huge potential for Alexa users to be overheard, either by design or accidentally.
At Amazon, the voice recordings are listened to by employees to ensure they are constantly monitoring and improving the system, whilst this is not explicitly stated in the Alexa terms & conditions, the implication is there. Amazon has also previously admitted that the way they improve Alexa, is by listening to recordings. If the Alexa device is unintentionally triggered, the device will still record, so anything during this period may be heard.
If you do not want your recordings to be included in the monitoring by Amazon, you can turn off this feature, tap Settings > Alexa Privacy > Manage Your Alexa Data. Then turn off the toggle switch which says, “Use Voice Recordings to Improve Amazon Services to Develop New Features.” You can also stop Alexa listening, by muting your device, do this by pressing the microphone button on top of your device which will switch off the microphone. Google no longer uses human review to improve their services, but you can still go to your Google account > Web & App Activity and uncheck the box that says Include Voice and audio recordings. Since August, Apple has also announced that they will no longer listen to Siri recordings without permission, this is an opt-in feature, but to turn it off, visit Settings > Privacy > Analytics and Improvements then turn off Improve Siri & Dictation.
If you have had these settings enabled, you can delete voice recordings history by going to the Alexa app and in settings go to Alexa Privacy > Review Voice History > Delete Recordings for All History. You can also say to Alexa, “Alexa, Delete everything I said”For Google, you go to myaccount.google.com then Data and Personalisation > Web & App Activity > Manage Activity expand the 3-dot menu, then select Delete activity by and then select all time and delete to confirm. For Apple users, go to Settings > Siri & Search > Siri Dictation History > Delete Siri Dictation & History.
Have a private conversation
Most smart speaker devices have a mute or privacy button. This stops the listening, and so means you can be sure that you are not being recorded or overheard by your device.
The devices that now also have integrated cameras which will also have a physical shutter that can be closed, ensuring the camera cannot operate.
These privacy features can alleviate many peoples privacy concerns that having these devices in their homes bring.
With the Amazon Echo, Dot or other Alexa enabled devices, you can use a voice prompt to make purchases of virtually anything on the Amazon store, part of the idea of “voice commands”. As well as children who may hijack your smart speaker and order whatever they feel like, you might also have guests who may find it amusing to use the “Alexa buy…” feature as a ‘harmless’ prank. Alexa could also accidentally mishear a conversation, purchase something on your behalf leaving you none the wiser until it shows up at your door the next day.
You can turn off voice-enabled purchasing by going to the Alexa app, click More > Settings > Account Settings > Voice Purchasing, then turn the toggle to the off position. You can also change the settings to enable the requirement of a confirmation code. Do this by going to Settings > Voice Purchasing > Require Confirmation Code type in a four-digit pin that you can easily remember, but that other people won’t guess, for example, your year of birth may be too obvious and easy to crack.
To turn off voice-enabled purchasing for the Google Assistant, log into the Home app on your Android or iOS device, expand the hamburger menu, select More settings > Payments and turn off Pay through your assistant. You can also remove all your payment info for extra measures, this is also beneficial in case somebody uses your credentials to log into your account.
Alexa Drop-in Feature
The Alexa drop-in feature enables users to “drop-in” on a friend or family member without them accepting or declining your call. Once you have enabled drop in for a certain user, they will be able to drop in until you disable this feature for them. Even though you may trust somebody enough to drop in whenever, you may have guests having private conversations in front of your device, or somebody could potentially drop in during a time when you’re not decent, which would be a huge concern considering some echo devices now have cameras.
Go to the Alexa app, open Communicate > Contacts > My Communication Settings, then use the toggle to switch Drop-In, either on or off.
Can Alexa be Hacked?
The risks listed above are mainly legitimate features, that could merely be taken advantage of. But what about when you go deeper and look at the darker side of the safety of AI listening devices? As AI listening devices are fitted with a microphone and more recently a camera too, there is the possibility that malicious third parties could gain access to your devices and effectively turn it into a wiretap with a few slight modifications. Now, this may not seem likely to happen if your AI listening devices are kept securely in your home, but what if you were to buy a secondhand device or a device that may have been returned in-store, that could’ve been tampered with and not checked before being resold?
Make sure any AI listening device, or electrical device, that you buy hasn’t been tampered with. Additionally, make sure to keep your AI device in a secure location, like inside your home where it cannot be accessed by external people.
Using the Amazon Alexa device, you can download “skills” to your device, which are basically like apps for Alexa and allow you to interact with your device in many ways, creating many different outcomes. There are numerous different skills: knowledge skills, cooking skills, video skills, smart home skills, list skills, music skills and many more! Similarly to an app store, third-party developers can build and publish their own skills for others to download to their devices. Although Amazon has in place certification requirements, which include security requirements, there have been articles published by Cyber Intel Mag explaining how malicious Alexa skills could easily bypass security. It included research that showed that almost a quarter of Alexa Skills don’t fully disclose the data they collect, which could be more of an issue in the “kids” and “health and fitness” skill categories due to the different privacy settings required by regulators in these areas. It was also found that gaps allowed threat actors to publish skills under any developer name and make backend code changes following approval, allowing them to phish out sensitive information.
Don’t download any Alexa skills that might have low reviews, no reviews, or that look suspicious. Amazon has now said that these bugs have been fixed, but the best way to stay safe is by being vigilant. You can also revoke permissions for skills by going to Menu > Skills & Games > Skills, then select the skill you want to look at, then Settings > Manage Permissions > Turn permissions toggle to off and save your settings.
Conclusion – Is Alexa Safe?
In conclusion, whilst the internet of things is always progressing, threat actors are doing what they can to keep up and infiltrate security measures wherever possible. With AI listening devices rapidly changing and more recently including new features such as cameras and drop-in features, making sure you stay secure is paramount. Updating the software regularly can be a great way to combat security issues as there are often regular updates that include security patches. On top of this, make sure you follow the steps above to protect your personal data.
If you have any concerns surrounding the safety of your business’ IoT devices, get in touch to learn how we can help.