Can You Hear Me Now?

Published on 21st November 2019

Here is a sentence you have probably never heard: “Alexa, send our company banking credentials to a cyber-criminal.”

Nobody, of course, would deliberately invite their smart speaker to share confidential information with bad actors.

And the software itself (Alexa, Google Home, etc.) is not designed to do bad things.

But, that doesn’t mean bad things can’t happen.

In a recent experiment, researchers from SRLabs were able to demonstrate how a malicious operator could “vish” (voice-phish) passwords of smart speaker owners (something I guess we should call a “spishing attack”) through a combination of device weaknesses and deliberate misleading of unsuspecting users.

The details of how it’s done are more than you probably want to know (you can read for yourself, here, if interested). But the point is, if you have a smart speaker in your home or office, you’ve got a potential threat to your privacy.

A Modern-Day Trojan Horse?

A Trojan Horse Replica, Not Alexa!

Every business takes steps to keep unauthorized people off its premises, whether that involves locks on doors, electronic key tags, security guards in the lobby, or something else. When it comes to physical trespassing, and maybe because this is something we can plainly see, we go to great pains to keep intruders out.

But that’s old school crime. Today, a bigger threat is your confidential and valuable data going out the door and bad things (viruses, malware, etc.) coming in.

Ironically, when you carry in a smart speaker, you are bypassing all the physical security you’ve set up and voluntarily planting a potential intruder within the walls of your company!

Two Things You Need to Know

1. Alexa is always listening. Alexa isn’t just listening when you say “Alexa” to wake it up — it’s always on. And while Amazon assures us that none of this information is stored, Alexa has a difficult time discerning its own name. It hears the wake-up word many times when you don’t say it. Amazon has a recording of all those instances.

2. Humans are listening too. Amazon employs people to transcribe voice commands and run them back through the software with the goal of improving Alexa’s ability to decipher human speech.

The point is, while there may be nothing nefarious going on, it’s easy to see how this information could be used to (best case) market specific products to you and (much worse case) identify you as a suspect in a crime, use your past conversations in a divorce proceeding, or steal sensitive company information from your office.

Three Things You Need to Do

The only certain defense against all this, of course, is to not permit these devices within your company walls. But I understand, there’s a risk/reward tradeoff at play here and you may not be willing to draw such a firm line.

So, try this…

1. Don’t have sensitive conversations near Alexa.

Discussions about an upcoming acquisition, plans to travel to a customer account, bank account numbers or passwords … anything that you don’t want to be heard by outsiders should not be discussed within earshot.

You might even consider designating a conference room or office as a “no electronic devices” space (where even cell phones are forbidden), so that you can speak freely.

2. Fine-tune your configuration settings. The more things you allow Alexa to do, the more threats you invite. Google “Alexa privacy settings” and you’ll see that you can limit communications, disable online purchases, revoke access to contacts, delete past recordings and more.

3. Minimize your use of “skills.” Skills are Amazon’s word for apps. There are more than 70,000 (not a typo) of these, covering everything from ordering a Lyft, to starting your Roomba, to playing games. They’ve all been tested and blessed by Amazon or Google, but that didn’t stop our fictitious hackers from the SRLabs demonstration above from getting in. Remember, adding apps is adding risk.

Final Thoughts

I’d be lying if I said I wasn’t trying to scare you. I am, at least a little bit.

Because while I readily acknowledge my standing as a “smart speaker paranoid” guy, and even though many of the scenarios laid out here are, for the moment, theoretical, we have not yet seen the consequences of what I believe is surely coming.

Just as we all determine our individual risk/reward models for what we eat, how we drive, where we travel, etc., the key to staying safe with smart speakers is to have a similarly deliberate approach to staying informed and setting limits.

As for me, I rely on one simple smart speaker command: “Alexa, please unplug yourself and jump out the window!”

If you would like help with your cybersecurity strategy or program, give Fractional CISO a call for a complimentary consultation. We can be reached at (617) 658- 3276 or by email at [email protected].