October is now in full swing—a month of flannels, falling leaves, and forming better security habits as part of National Cybersecurity Awareness Month (NCSAM). This government and industry initiative aims to provide education on how to stay safer and more secure while online, as well as boost the country’s resilience to cyber-threats. Over the course of the month, we will discuss topics such as educating for a career in cybersecurity, ensuring online safety at work, and securing the nation’s most critical infrastructure.
In this week’s post, Deral Heiland, Research Lead - IoT at Rapid7, will dive into how you can boost security in your home through a few simple tweaks to your voice-controlled devices.
I have had several conversations recently around whether you should use voice-controlled systems in your home. The true answer to this question comes down to whether you personally feel comfortable with these technologies, but if you do embrace them, I encourage you to use them wisely to reduce any security risks and vulnerabilities they may create.
Let’s take a look at the Amazon Echo Dot and Google Home Mini. If you haven’t used either of these products before, I recommend taking a look. I currently have several Amazon Echo Dots around my house for playing music, streaming the radio, checking the weather, setting alarms, controlling lights and fans in my house, and asking any odd questions I am too lazy to type into a Google search.
These are only a few examples of the tasks these technologies can help with—but they do still come with risk. The good news is that there are a couple of simple steps you can take to help reduce some concerns surrounding voice-controlled systems:
Switch up your wake word
When talking about products like the Amazon Echo, people regularly ask me, “Does this tech listen to everything I say?” Well, yes and no. The technology is listening for a wake word, which activates the device and triggers it to send what follows to the internet to be processed and stored so the device can hopefully respond with an answer or the requested action. This is the way it was designed, and if used properly, I feel it has limited and definitely manageable risk.
By default, the Echo’s wake word is “Alexa.” Everyone now knows this wake word, and there have been a number of documented incidents where the device carried out an action such as attempting to order products because a show on a nearby television said, “Alexa.” The Amazon Echo can also be activated by anyone in or outside your house who says, “Alexa,” or even an incoming call on your landline phone answering machine, if the volume is set high enough to hear the incoming caller.
The way to combat this is to change the wake word. Although this isn’t a perfect solution, it does obfuscate the attack surface. Currently, the Amazon Echo supports four wake words: “Echo,” “Alexa,” “Amazon,” and “Computer,” as shown below:
You can also limit risk around voice ordering by setting a PIN that will ensure no purchases or payments are made without your explicit permission.
In the case of the Google Home Mini, there is no way to switch between different wake words. The product current wakes via “Hey, Google” or “OK, Google,” which I find awkward to say. But, to have a little fun, I also found out that the device will awaken to “Hey, Boo-Boo” if you want to be different.
Confirm when your device is listening
Another concerning issue is that the wake word on the Amazon Echo can still be accidentally and randomly triggered from sounds and voices from many sources, which means anything I say after the wake word triggers the device and could get sent to the internet. In the privacy of my home, I want my comments and conversations to remain private.
In one recent example, an Amazon Echo recorded a conversation and sent it as a message to someone in the owner’s address book—an incident surely no one wants. Amazon took some action to prevent these types of accidents from occurring, but what can we do to reduce the risk of private information being accidentally recorded? The way I do this is to have the Amazon Echo alert me when the wake word is heard by emitting an audible tone that indicates it is in recording/processing mode.
This way, I know that the Amazon Echo is active and I can stop talking until it emits another audible tone indicating the recording/processing function has concluded.
With the Google Home Mini, I have noticed there have been fewer times the wake word has been accidentally triggered. This might be because the wake word “Hey” or “Go” must be combined with “Google.” Either way, the Google Home Mini also has a setting that enables an audible tone to indicate when recording/processing has been activated. This can be enabled on the device using the Google Home mobile app’s “Device Setting” under “Accessibility.
These small adjustments may not be the be all and end all for security, but they do help. Now I know that if someone attempts an attack against my device with the default wake word “Alexa,” it will not work. Also, when I hear that tone from my Amazon Echo Dot or Google Home Mini, I know to stop talking until it concludes with another audible tone. All it takes are just a couple of simple configuration changes to help you reduce a few areas of risk and leverage your technology with more comfort.
Image source: Flickr/Stock Catalog