Amazon Echo and Google’s Alexa are Internet Of Things devices that listen for your voice commands and then do not particularly interesting things for you. The minor convenience and gee whiz factor are way outweighed by how you are painting a big bulls eye on your house:
As a rule, IoT devices lack security and these are no different. Unlike other IoT devices, these personal assistants compromise your security in even more ways they you may think. In general, most users don’t read the Terms of Service (ToS) associated with IoT devices or software being installed. Users have a basic understanding that Amazon and Google will maintain your profile information, such as what music you listen to, when you turn off your lights, or even the coffee you order, in an effort to provide a better over-all experience. Over time these devices learn your preferences; the more intuitive and responsive the device, the more we tend to use it.
What is more alarming is what you don’t think about when using these voice activated devices including those from Apple and Microsoft. There has been a lot of discussion around the security and privacy of these devices over the past few months. One of the biggest concerns is the question of whether the devices are always listening. Both Amazon and Google say the devices listen for hot words that activate them, such has Hello Google or Echo/Alexa, but because these devices are controlled by and interact with by Amazon and Google, the hot words and or the device itself can be easily manipulated to allow for an always on “listening mode” by the vendor at any time by the way of a crafty term of service
How’s the security of these devices? You can’t know. What will the Terms Of Service provide to protect your privacy? You can’t know:
Amazon:In order to keep the Amazon Software up-to-date, we may offer automatic or manual updates at any time and without notice to you.
Google:When a Service requires or includes downloadable software, this software may update automatically on your device once a new version or feature is available…
So the services can update the software without your knowledge, whenever they want, for any reason they want. The terms of service state that they may sell or share your data to other organizations. And this is creepy but entirely to be expected:
In addition to the vendor maintaining access to the device, it isn’t unfathomable that cyber-criminals could gain access as well. These are, after all, IoT devices and are just as vulnerable to being pwnd (geek speak meaning owned/or controlled) as any other IoT device. Both devices have indicators when they are in listening mode, however this can be easily disabled by a hacker. A hacker could be listening to your every word and you would not be aware.
And so would NSA listen in? The Snowden revelations suggest that they might already be listening in. How much data do they have? Who knows?
It will be a cold day in Hell when one of these things shows up at Castle Borepatch.