I Am Alexa, and I Am Here to Help: Simple Tweaks to Help Reduce Risk from Voice-Controlled Devices

1

Over the last few years, smart devices – once a rare novelty for only the elite and early-adopters – have become a common household item, partly in thanks to Amazon’s economical Alexa-powered line of products. Despite the growing adoption of devices like the Amazon Echo, there’s been a lot of debate about how safe or secure they really are. Within the cybersecurity industry, I myself have had many conversations around whether or not we should use voice-controlled systems in our homes.

For the “Type A’s” out there, unfortunately, there’s no right or wrong answer. When deciding whether or not to bring Alexa into your home, it all comes down to how comfortable you personally feel with these technologies.

As for me (a cybersecurity researcher who’s heard all the arguments against Alexa devices), I have several Amazon Echo Dots in use around my house for streaming music, checking the weather, setting alarms, controlling lights and fans, and asking any odd questions I’m too lazy to type into a Google search.

While my Echo is a game-changer at home, it’s important to remember that these devices do still come with risks. The good news is that there are a few steps you can take to help reduce some of the concerns surrounding voice-controlled systems.

Know what you’re dealing with

With 13 new Amazon Alexa devices announced just last month (from microwaves to clocks and beyond), it may seem like there’s no escaping Alexa and her always-listening ears. It’s important to know exactly what you’re up against when you’re looking to bring Alexa into your home – and even more so into your office.

The risk posed by Internet of Things (IoT) devices are very real. Just a few months ago, an Oregon woman’s Alexa recorded her conversation with her husband and sent it to a random individual in her contacts. And while developers and manufacturers are working diligently to address the cybersecurity and privacy issues that people, like the woman in Oregon, fear, they just can’t keep up with evolving threats.

Whether you’re using an Alexa-backed thermostat or an Echo Dot to find out what the weather is going to be like on Tuesday, know that hackers looking to target poorly secured IoT devices can’t distinguish between the two. Much of the infrastructure looks exactly the same; at the end of the day, an attacker doesn’t care whether it is your thermostat or voice assistant. All they know is it’s a computer that can help them listen in on private conversations and give them access to secret information.

Switch up your wake word

When talking about products like the Amazon Echo, people regularly ask me, “Does this tech listen to everything I say?” I usually tell them yes… and no.

The technology is listening for a wake word, which activates the device and triggers it to send what follows to the internet to be processed and stored to respond with an answer or the requested action. This is the way it was designed, and if used properly, has limited and definitely manageable risk.

By default, the Echo’s wake word is “Alexa.” Everyone now knows this wake word and there have been a number of documented incidents where the device carried out an action such as attempting to order products because a show on a nearby television said, “Alexa.” The Amazon Echo can also be activated by anyone in or outside your house who says, “Alexa” – even an incoming call on a landline phone answering machine if the volume is set high enough to hear the incoming caller.

The way to combat this is to change the wake word. Although this isn’t a perfect solution, it does obfuscate the attack surface. Currently, the Amazon Echo supports four wake words: “Echo,” “Alexa,” “Amazon,” and “Computer,” as shown below. By switching it up, users are able to avoid accidental “Alexa” mishaps – whether talking about the product itself or a friend.

Amazon Echo Alexa risk privacy

Figure 1: Change Wake Word You can also limit risk around voice ordering by setting a PIN that will ensure no purchases or payments are made without your explicit permission.

Confirm when your device is listening

Another concerning issue: The wake word can still be accidentally and randomly triggered from sounds and voices from many sources, which means anything said after the wake word triggers the device could get sent to the internet. When in the privacy of your home, you want your comments and conversations to remain private.

Looking back on the example of the woman in Oregon, Amazon took some action to prevent these types of accidents from occurring again – but nothing is for sure. The question that we should then ask is, “what can we do to reduce the risk of private information being accidentally recorded?” The best method for achieving this is to adjust your alert settings. One common way to do this is to have the Echo alert you when the wake word is heard by emitting an audible tone that indicates it is in recording/processing mode, as shown below.

Amazon Echo Alexa risk privacy

Figure 2: Request Sound

As voice-controlled technology progresses and experiences greater adoption, it is critical to remain diligent to avoid exposing ourselves to potential cybersecurity and physical risks. With new, innovative devices expanding beyond just TVs, speakers and lights, there are now more devices, which on their own, can be extremely hazardous, such as kitchen appliances (e.g. ovens and microwaves) and various kinetic devices like garage doors, which are responsible for a significant number of injuries each year.

While these simple steps may not be the be all, end all for ensuring safety and security, they do help. You can rest easier knowing that if someone attempts an attack against your device(s) with the default wake word “Alexa,” it will not work; or when you hear the recording alert, you’ll know to stop talking until it concludes with another audible tone. All it takes are just a couple of simple configuration changes to help you reduce a few areas of risk and leverage the technology with more comfort.

Share.

About Author

IoT Research Lead at Rapid7