Whiteboard Wednesday:

Securing Your Voice-Controlled Devices

October 10, 2018

For National Cybersecurity Awareness Month, Kwan Lin, Senior Data Scientist at Rapid7, gives some tips and tricks on how to properly authenticate your voice-controlled devices, such as the Amazon Echo, in order to minimize privacy concerns and unauthenticated purchases. Understand how voice-controlled systems are activated, and how you can set up your device so it responds to only you.

To dive deeper, check out our blog post on managing cyber risk at home.

Video Transcript

Hi, my name is Kwan Lin, Senior Data Scientist at Rapid7, and for Cybersecurity Awareness Month, I'm here to share some useful tips on IoT security that I've picked up from our research lead, Deral Heiland. In particular, I'll share some security tips for voice controlled systems such as the Amazon Echo. These devices provide plenty of conveniences, but they do also come with some security risks.

Show more Show less

That's not to say that such devices should be strictly excised from your network. After all, any network device that you use, including your computer or your cell phone, comes with some degree of risk. The solution to addressing your risk concerns is to engage in appropriate risk management.

In cybersecurity, we often consider the attack surface, which represents the breath of vectors through which vulnerabilities are exposed, and potentially compromised and exploited. Introducing an Echo inevitably expands that attack surface.

As a security minded user, your goal should be to shrink that attack surface so that the risk of something bad happening is tolerably low. What actually you could take with the Echo is to change the device's wake word. These voice control devices are constantly passively listening. They're waiting for particular words to be uttered such as "Alexa." Once the wake words are received, they then switch to an active listening mode where they're actively trying to absorb everything that's said, parse the words for meaning, and perform some sort of action based on what's understood.

This word trigger represents a point of risk. If the Echo hears "Alexa" from someone that shouldn't have control, from the phone or from a nearby television, it might act in an unexpected manner. By changing the wake word to something less common, the probability of unintentionally awakening the device is reduced. In fact, the attack surface is shrunk.

An especially irritable risk is the risk of these devices unintentionally ordering products or making payments. This risk can be mitigated with proper authentication. In security, authentication refers to proving one's identity. Theoretically, only properly authenticated individuals should be authorized to perform particular actions such as making voice purchases.

Authentication can be achieved using a few types of things, things you have, such as the physical key, things you are, in this case your voice, or things you know, such as the password.

Here we can add an authentication layer by implementing a pin to prevent undesired purchases from being made. There's also a pervasive concern that these always listening devices can compromise privacy, especially if they're unintentionally awoken and begin to actively listen without the present audience's awareness. This risk to privacy can be constrained with a proper communication protocol.

In information security, we often think in terms of communication protocols. Such protocols establish standards around initiating communication by one party, such as a person, acknowledgement that the initiation was received by the counter party, such as an Echo device, and then allowing the original party to begin the communication with an expectation of what the counter party might do with that communication.

We can modify the Echo such that it responds to its wake word with an audible beep. This is the device's acknowledgement to speakers that it's listening. If you have this set up, and you hear a beep, you're now warned that your dialogue is being listened to.

For more information on securing your voice-controlled devices, check out Deral's blog post on voice-controlled devices on blog.rapid7.com.

If you have any questions along the way, certainly feel free to reach out to us at research@rapid7.com.

That's it for this week's Whiteboard Wednesday, and we'll talk to you next time.

Rapid7 IoT Testing Services

Learn more about our IoT team and what we do here at Rapid7.

Learn More

Manage Your Risk at Home with Simple Tweaks to Your Voice-Controlled Devices

Dive into our blogpost to further learn how to secure voice-controlled devices.

Learn More