Let’s face it folks, most of us are lazy – or as I laughingly say, “energy efficient.” But it is no joke that convenience is the enemy of security. From passwords that offer little in the way of protection to amazing devices designed to make our lives easier, we are enabling both the government and evildoers by handing over our secrets to devices we barely understand and cannot vet for security.
A mistake, a bug, a feature?
Recently an Echo, an Alexa-powered device surreptitiously recorded a user’s conversation and then shared it with a random contact in their address book. Thus highlighting the ability of a commercial device to breach both your personal and professional security with impunity. The random contact turned out to be an employee of the user’s husband and the information forwarded was a conversation about the selection of flooring. Can you even begin to imagine if this conversation was intimate, contained personal medical information, or advance plans for a commercial venture?
It is not beyond the pale that state-sponsored intellectual property thieves, blackmailers, or even the government spying on an uncharged and un-convicted suspect could hack the system. Imagine the damage that could be done in attorney’s or physician’s offices – or anywhere else confidential information was being discussed?
And it is not just home devices, advanced technology is being built into vehicles. I can remember the General Motors’ claimed that their On-Star vehicle safety system could not be used to surreptitiously to listen to an in-car conversation. Unfortunately, a court case presented evidence that General Motors lied and that the On-Start microphone could be turned on without altering the vehicle’s occupants. And, if the windows were opened, the device also captured conversations held near the vehicle, depending of course, on the ambient noise conditions at the time.
Amazon acknowledged the security breach as being an “accident” and an “anomaly.” But was it? Obvious the capability existed in the device and was designed-in for a purpose.
According to the Wall Street Journal ...
"The devices are intended to remain offline unless they hear a specific term known as the wake word—in Amazon’s case, the default is 'Alexa.' In effect, though, that means the microphones are on by default whenever the devices have power."
"The Echo, for example, continuously records small pieces of audio on the device that it is supposed to automatically erase unless it is activated. Only after the device hears its wake word is it supposed to be able to send anything to the cloud or elsewhere on the network. Amazon has previously said that its devices are extremely unlikely to be hacked, and the Echo and its sister devices include a mute button that disconnects the device internally as an extra safety feature."
Amazon’s explanation -- “Echo woke up due to a word in background conversation sounding like “Alexa.” Then, the subsequent conversation was heard as a 'send message' request. At which point, Alexa said out loud 'To whom?' At which point, the background conversation was interpreted as a name in the customer's contact list. Alexa then asked out loud, '[contact name], right?' Alexa then interpreted background conversation as 'right'. As unlikely as this string of events is, we are evaluating options to make this case even less likely.”
Best practices --- do not sacrifice security for convenience by using one of these devices.
Are you asking yourself, Am I Next?