Hey Alexa, Can You Be Hacked?
Why I’m Wary of Voice Activated Assistants
My sister and I are a lot alike, except I work with technology and she doesn’t. Ironically, she uses Alexa and I don’t. Having more than a cursory understanding of how voice activated assistants work, and their vulnerabilities, makes me hesitant to adopt the technology.
Watch what you say in private
Sure, it’s fun to ask Alexa questions or have her play a favorite song. But the thought of a device listening in and recording my private conversations, including the possibility that nefarious “bad actors” could also listen in, access and share private information, is unsettling. I say a lot of things in the privacy of my own home I don’t want anyone but my dog to hear.
That is exactly what happened in our hometown of Portland, Ore., back in May 2018. A couple’s private conversation was recorded by an Amazon Echo device. Alexa then sent the conversation to a random number in their address book. The conversation was not particularly stimulating—it was about hardwood floors. Regardless, the homeowners felt an extreme violation of personal privacy.
According to Amazon, this case was simply a malfunction and is not proof Alexa is always listening. Separate from this incident, however, Amazon and Google have filed patent applications to add functionalities involving always listening. Algorithms are designed to listen and analyze key words such as “love” or “bought” in order to send targeted advertisements related to the topic of conversation. This is what is coming, right around the corner.
The hardwood flooring incident was not the first Alexa “glitch” but is particularly worrying that the devices continue to be vulnerable four years after their release on the market. Which leads me to the next point.
Can Alexa be hacked?
In a word, yes. Checkmarx is a company that makes a suite of tools for developers to test the security of their software before it’s released to the public. Earlier, this year Checkmarx illustrated step by step how they hacked Alexa to record everything it could hear. While fixes have been applied to the vulnerabilities, Checkmarx said accessing Alexa’s programming was fairly easy. When a system is hacked, it also affects all of the Internet of Things (IoT) smart devices that are attached to it.
Researchers and security experts continue to find ways to hack into and control voice assistants. Approaches include using eavesdropping software, undetectable audio commands and targeting devices connected on a network.
Former National Security Adviser and privacy expert Jake Williams says the chance of a hack is pretty low because hackers are not that interested in wading through mountains of mundane conversations in people’s homes. Williams also points out there is less risk of accessing critical information than if your phone or laptop were hacked.
I understand the rationale—a laptop and phone are directly connected to the internet, while Echo fills the role of a speaker, taking input from only two parties—the user and the server it is connected to, such as Amazon. So far, there is no reported evidence hackers are using devices like Echo to hack Amazon’s servers.
But there is no denying the fact that voice-assisted speakers can and do continue to be hacked. Companies such as Amazon and Google have plans to gather more data from us. Amazon says it isn’t in the business of selling your data away to another company; they are using it to learn more about you and build out a marketing profile of you. Isn’t that what we thought about Facebook?
I want to scream “slippery slope!”
To see everything Amazon’s Alexa has recorded about you, read through CNBC’s explainer here. You can also view what information has been collected about you by Google and Facebook.
Vulnerabilities are not limed to Echo
Though this article takes aim at the Amazon Echo, the same vulnerabilities can be applied to Google Home, Apple Homepod and any other voice assistant that may crop up. For example, Facebook recently launched an Alexa compatible video monitor, microphone and video calling devices called Portal and Portal+. Similar technology is applied to all of these interactive devices.
I used to think of myself as an “early adopter” of technology. I love having the latest smartphone, have a fairly sophisticated home internet network, streaming TV and sound system. Even though we are progressing toward a more digitally connected society, I am just not ready for Amazon, Google or anyone else to listen in on my private conversations, amass and potentially share my data.