The Internet of Things and Voice Assistant Tech – Balancing the risks and benefits
Posted by Dr Jason R C Nurse on 19 January 2018
Internet of Things – The basics
Have you heard the recent estimates about the vastness of the Internet of Things (better known as, IoT), and how much it will change your life? A recent stat in an Intel IoT report suggests that by the year 2020, 200 billion objects will be connected! That’s more objects than neurons in the human brain and near to some (lower) estimates of the number stars in the Milky Way! So, what is the IoT?
One way to understand the IoT is to view it as a computing paradigm where real-world objects or “things” are embedded with electronics which enables them to communicate and exchange data with other connected systems and devices. The fact that practically any object – inanimate or not – can be tagged is one of the reasons why the IoT has the potential to be so large. Today, for instance, in homes across the UK, there are an increasing number of connected TVs, fridges, and health devices. At the very least they provide convenience (and soon even dating advice!) while at best they could actually save lives.
Amazon Alexa and Google Home are two of the most popular voice assistants today and are great at automating various parts of your home – even the kitchen sink! But, could these devices be eavesdropping on what you say, and what might the risks be? These were the questions that were posed to a panel that I was a part of in the Cheltenham Science Festival last year.
In the lead up to this event, I had the opportunity to work on a research project which reflected on the risks to including these devices into our homes. Possibly the most worrying of these was the reality that hackers (almost) always find a way to compromise new tech. The risk to you, therefore, is that other parties (e.g., tinkerers, hackers, etc.) could find a way to compromise these devices and dictate what they record. Imagine being recorded all the time, regardless of if you use the magic wake words “Ok Google” or “Alexa”, or not! Scary isn’t it!
My fears were realised when a security researcher discovered this hack. In short, it would enable a hacker to stream audio from a hacked Amazon Echo to their own remote computer. Though only a proof-of-concept with some high initial requirements (most notably, brief physical access to the device), this demonstrates the art of the possible today. Another way in which people may be harmed is via attacks on the third-parties organisations that hold any collected voice data. A poignant example of this is with breach of the smart toy manufacturer, CloudPets, last year when millions of private messages between parents and kids was leaked.
While not the most worrying, the most likely risk with your home’s voice assistant tech is unintended initiation. Imagine, for instance, the word “Alexa” (or something close to it) being used in a television programme; this may well set off the device and capture a few seconds of a private conversation. Or, an unsuspecting child using Alexa to engage in some unsanctioned activity. The latter is perfectly exemplified through a case in the US where a 6-year-old placed an order for a doll house and box of cookies by conversing with Alexa. The real concern though, is not one-off unintended purchases, but the potential consequences when harmful smart appliances – such as stoves and ovens – are accidentally turned on. This might be by kids, hackers, or even through specialised advertisements targeting your home IoT devices – this Burger King advert is one excellent example of what’s now a reality. Other instances can be found in this recent Symantec report.
In the following table, contact information relevant to the page. The first column is for visual reference only. Data is in the right column.
Dr Jason R C Nurse
Senior Researcher in Cyber Security
Dr Jason R C Nurse is a Senior Researcher in Cyber Security within the Department of Computer Science at Oxford University. Within his role, he also acts as a lecturer with the Oxford Centre for Doctoral Training in Cyber Security and as a supervisor for various doctorate, masters and undergraduate projects.