Briefing Paper – Smart speakers can be used to hack your world
Australians are unaware that turning their home in to a ‘smart house’ using their new smart speaker – like Amazon’s Alexa and Echo units – potentially open the door to hackers obtaining their personal information through ANYTHING they connect to their smart speaker device.
There are between 13,000- 15,000 ‘smart skills’ apps specifically designed for connecting smart speakers to devices with more hitting the market every day – 6,000 new skills apps (not just smart home) listed on Amazon in the last 90 days alone. This has the potential to turn your Alexa or Echo device into an all controlling entity in your household.
The smart speaker company is only responsible for security for the unit itself and not for the ‘connection’ between your smart speaker and a third party device e.g. digital recorders, baby monitors etc. This is providing a conduit for hackers to ‘get into your life’.
In other words, smart speakers have opened the backdoor to your entire world of privacy.
What is smart skills technology?
A customer enables a smart home skill in the Alexa app, links it to their account with a device cloud and discovers devices associated with that account.
Then, when Alexa hears a customer request like, “Alexa, turn the kitchen light to 50 percent”, or a customer makes change to a light setting in the Alexa app, Alexa recognizes the customer intent to change a setting on a specific device. Alexa uses this information to create a message called a directive. This directive contains customer authentication information, an identifier for the device, and the new setting value.
Alexa knows to send this message to the smart home skill that controls the light. As a smart home developer, you receive and parse this message in code hosted in AWS Lambda, a computer service offered by Amazon Web Services (AWS), and pass it to the specified device in your device cloud. You respond with a message called an event and indicate the request was successful or not. You have the option of sending the event synchronously from the Lambda function or asynchronously from the device cloud. Alexa uses the information in the event to respond to the customer that made the request.
In addition to supporting voice requests, the API also enables you to easily provide updates when the state of a device changes. This means customers can see an up-to-date status and control their devices from the Alexa app. For example, a customer can use the Alexa app to check the temperature of their home or turn off their lights.
How can hackers use smart skills to hack your devices?
- Devices linked to a smart speaker via ‘smart skills’ technology and Internet of Things (IoT) (anything with a wifi capability that can be connected to the ‘cloud’ and therefore a smart speaker), including devices such as Webcams, doorbells, Baby Monitors, thermostats, and digital recorders can been used to access personal data to perpetrate identity theft or any number of other cyber-crimes.
- Because services such as Alexa act as a conduit for thousands of smart skills apps from third party suppliers and then stores interactions with them – it constitutes a major vulnerability. A smart cyber-criminal or hacker could harvest personal data using a ‘spearphishing’ attack on individuals to get their Amazon login details and steal their identities.
This is because, while Alexa and other smart speakers have their own security parameters, the parent company (Amazon) is not responsible for security around the actual smart skills apps, nor the ‘packets’ of information that travel between any of your devices connected to the smart speaker. Any hacker with a basic ability to hack wi-fi networks could ‘spear’ the data flowing between Alexa, smart skills apps and connected devices – this could see a consumer hacked via their home thermostat.
NOTE – Amazon does provide specific guidelines for smart skills app developers, including making sure they are ‘certified’ to a level acceptable to Amazon, however, the actual security parameters around the app itself are the responsibility of the app developer alone.
Smart Skills Security Flaws Amazon Won’t Tell You About and Are Not Responsible For
As far as Amazon is concerned, they’re only responsible for the security of their own devices. While they have set a fairly strict security and privacy guideline that smart skill app providers must adhere to, the actual security (eg encryption of actual packets of information) is the responsibility of the app provider.
This leaves a massive vulnerability gap between the smart skills providers, the Amazon smart speaker and consumers’ devices.
A basic analysis of apps has uncovered how many providers/suppliers of smart skills apps fail to protect against even the most basic vulnerabilities such as:
- Login process is not authenticated;
- Default option is to allow ‘auto-login’ – most people don’t know to change this;
- Communications with Cloud not encrypted – that is, the packets of information between the device and the smart speaker are ‘unprotected’;
- Cloud providers allow the use of Virtual Private Networks. However when the connection was established, the remote network configuration could be changed, resulting in unauthorised access.
- There is insufficient protection of stored personal data;
- May 2018 – Family in Oregon USA shows how vulnerable Alexa is – In May of this year a woman in Portland, Oregon found out that her family’s home digital assistant, Amazon’s Alexa, had recorded a conversation between her and her husband without their permission or awareness, and sent the audio recording to a random person on their contacts list.
Amazon palmed it off as an error, but it shows the vulnerability of speakers that connect to any consumer device.
Story link – https://qz.com/1288743/amazon-alexa-echo-spying-on-users-raises-a-data-privacy-problem/
- Hacking of personal assistants was used to launch distributed denial-of-service (DDoS) attacks on various third party websites using Mirai malware to launch an attack against Dyn and cripple websites such as Twitter, Paypal, Netflix, and Reddit –
Story link – https://en.wikipedia.org/wiki/2016_Dyn_cyberattack
How can consumers protect themselves?
- Erase your history on a regular basis – at least weekly (using device Settings) – delete all past recordings of interactions;
- Turn off feature allowing transfer of audio files (bit of a nuisance if you are exchanging music with your friends or sending people audio messages);
- Don’t connect any sensitive accounts to Amazon’s Echo;
- Use voice recognition so Alexa only be used by its owner;
- Turn on multi factor authentication (MFA) for your Amazon Account as well as email account, iTunes (Apple) account, cloud apps, or any access to Account Details or Settings you might be using (e.g. Facebook, LinkedIn, etc …);
- Remove Adobe Flash Player from your laptop;
- If your device (Amazon Echo/Alexa, Google Home Mini, Apple HomePod) has a mute button then use it to protect any private or personal conversations;
- Change the ‘Wake’ word – customise your device’s operation;
- Use the device Settings to put a PIN on any activities such as Purchasing;
- Exclude access to location, email contacts, calendar and smart skills using Privacy/Settings controls;
- Even though some devices such as Alexa have the capability to control your fridge, home lighting, music players, TV, home security systems and cameras, and other devices via 15,000 skills and third party vendors doesn’t mean that you should allow this. Quite simple rules can be used – anything that can compromise access to your home – don’t enable it (home security systems for example). Anything like entertainment, downloading music or lighting appliances might be ok as long as they can’t be used as jumping point to more important functions.
- Best for last: Switch it off when not using it or not at home.
 Conservative estimate based on analysis of Amazon site https://www.amazon.com/alexa-skills/b?ie=UTF8&node=13727921011 – also see https://www.architecturaldigest.com/story/amazon-alexa-skills
 DNS registration website in the USA – domain name registration directory website Dyn