The Internet of Things and Voice Assistant Tech – Balancing the risks and benefits

Posted by Dr Jason R C Nurse on 19 January 2018
Many blue open locks around one closed red lock

Internet of Things – The basics

Have you heard the recent estimates about the vastness of the Internet of Things (better known as, IoT), and how much it will change your life? A recent stat in an Intel IoT report suggests that by the year 2020, 200 billion objects will be connected! That’s more objects than neurons in the human brain and near to some (lower) estimates of the number stars in the Milky Way! So, what is the IoT?

One way to understand the IoT is to view it as a computing paradigm where real-world objects or “things” are embedded with electronics which enables them to communicate and exchange data with other connected systems and devices. The fact that practically any object – inanimate or not – can be tagged is one of the reasons why the IoT has the potential to be so large. Today, for instance, in homes across the UK, there are an increasing number of connected TVs, fridges, and health devices. At the very least they provide convenience (and soon even dating advice!) while at best they could actually save lives.

Reviewing the risks

While the IoT offers several benefits at automating our lives (not to mention the convenience of brewing a cup of coffee with only a voice command!), as with all other parts of our lives, it is prudent to pause and reflect on the risks to its use. This has been a key area in my ongoing research, particularly the topics of modelling the security and privacy risks in the smart home, determining the privacy risks with fitness trackers and online social networks, and understanding perceptions and behaviours in the use of personal smart devices. One of the most significant topics today however, is that of voice assistant IoT technology (e.g., Amazon Alexa, Google Home, and Apple HomePod) in the home – this is what I explore next.

Is your smart home tech listening to you?

Amazon Alexa and Google Home are two of the most popular voice assistants today and are great at automating various parts of your home – even the kitchen sink! But, could these devices be eavesdropping on what you say, and what might the risks be? These were the questions that were posed to a panel that I was a part of in the Cheltenham Science Festival last year.

In the lead up to this event, I had the opportunity to work on a research project which reflected on the risks to including these devices into our homes. Possibly the most worrying of these was the reality that hackers (almost) always find a way to compromise new tech. The risk to you, therefore, is that other parties (e.g., tinkerers, hackers, etc.) could find a way to compromise these devices and dictate what they record. Imagine being recorded all the time, regardless of if you use the magic wake words “Ok Google” or “Alexa”, or not! Scary isn’t it!

My fears were realised when a security researcher discovered this hack. In short, it would enable a hacker to stream audio from a hacked Amazon Echo to their own remote computer. Though only a proof-of-concept with some high initial requirements (most notably, brief physical access to the device), this demonstrates the art of the possible today. Another way in which people may be harmed is via attacks on the third-parties organisations that hold any collected voice data. A poignant example of this is with breach of the smart toy manufacturer, CloudPets, last year when millions of private messages between parents and kids was leaked.

While not the most worrying, the most likely risk with your home’s voice assistant tech is unintended initiation. Imagine, for instance, the word “Alexa” (or something close to it) being used in a television programme; this may well set off the device and capture a few seconds of a private conversation. Or, an unsuspecting child using Alexa to engage in some unsanctioned activity. The latter is perfectly exemplified through a case in the US where a 6-year-old placed an order for a doll house and box of cookies by conversing with Alexa. The real concern though, is not one-off unintended purchases, but the potential consequences when harmful smart appliances – such as stoves and ovens – are accidentally turned on. This might be by kids, hackers, or even through specialised advertisements targeting your home IoT devices – this Burger King advert is one excellent example of what’s now a reality. Other instances can be found in this recent Symantec report.

Going forward

There are several more examples of the potential risks to the use of smart devices in the home, but as mentioned earlier, many benefits. My ongoing research is focused on understanding these risks, and ensuring that both the creators and users of the IoT are aware of how they can be addressed, be this via user-focused risk assessment techniques, data tracking tools, or targeted awareness campaigns. Such approaches will also be informed by current regulations (such as the General Data Protection Regulation (GDPR)) which aim to protect users and their data.


In the following table, contact information relevant to the page. The first column is for visual reference only. Data is in the right column.

Name: Dr Jason R C Nurse
Job title: Senior Researcher in Cyber Security

Dr Jason R C Nurse is a Senior Researcher in Cyber Security within the Department of Computer Science at Oxford University.  Within his role, he also acts as a lecturer with the Oxford Centre for Doctoral Training in Cyber Security and as a supervisor for various doctorate, masters and undergraduate projects.

Twitter: @jasonnurse