As smart home and personal assistant products enter the mainstream market, consumers and businesses must weigh the risks associated with such a technologically invasive product. It seems as though, every day, a new appliance is connected to the internet of things. From air conditioners and refrigerators to kettles and even the locks on our doors, our homes are increasingly interconnected by a web of technology that makes our lives easier. However, with these conveniences comes serious risk. The more tasks we allocate to our Alexa, the more control we give away to a would-be hacker.
Almost two years ago, in late 2019, these security concerns were brought to the public’s attention. In a research paper authored by students of The University of Michigan, many personal assistant products were shown to have serious security flaws, which possibly enabled a bad actor to feed the device commands from 110 meters away. By aiming a powerful “amplitude-modulated” laser at the microphone of the device, the researchers proved it was possible to inject voice commands by simulating the vibrations caused by the human voice.
The authors claim, “Examining various products that use Amazon’s Alexa, Apple’s Siri, Facebook’s Portal, and Google Assistant, we show how to use light to obtain control over these devices … Next, we show that user authentication on these devices is often lacking, allowing the attacker to use light-injected voice commands to unlock the target’s smartlock-protected front doors, open garage doors.” These security flaws were massive. In the coming weeks, all of the companies involved patched their software to increase security. Even though the research took place in a lab environment and used expensive equipment, this security lapse is worrying.
Another vulnerability was shown in an article by The Verge around the same time. This security flaw allowed hackers to use commands which, after they failed or errored out, kept the device listening and transmitting data. Amazon and Google, the leading smart home competitors, both failed to check updates for malicious code, making this vulnerability exploitable. Quickly, however, their systems were updated to increase the security of third-party programs.
Perhaps these breaches never posed a large-scale threat, but they show something that has the possibility to be very dangerous in coming years. Smart home products can help us reimagine how we interact with our homes and free up time in our schedules, but any security flaw in a product such as Alexa or Google Home could have massive consequences. It could be exploited to lock people out of their homes, steal cars, ransom the heat in someone’s home, or even drain their bank account through amazon.
As we move towards a future where devices like these are increasingly commonplace, software and hardware security become increasingly important. In a time when our devices reach into what has forever been physical, what is important for our very survival like shelter and transportation, quality software penetration testing, too, moves from a digital necessity to a physical one. If the security of our products, as a society, falls far behind the products themselves, we devalue the innovation and risk our safety in the process.
If you want to keep your devices safe, there are a few easy first steps you can take. Safety.com has articles outlining how you can keep your devices, such as an Amazon Alexa or Google Home, safe. It boils down to making sure you know what your device knows and changing settings, where possible, to be more comfortable with it.