George Orwell’s classic dystopian novel, 1984, famously featured two-way televisions so Big Brother could spy on the populace and force them to undertake gruelling keep-fit classes.
Winston Smith had no choice but to comply with the Ministry of Information’s draconian laws, but we wouldn’t be so naive to allow such spyware into our homes, would we?
Well, the bad news is – if you own an Amazon Echo, Google Home, a common-all-garden smartphone with a digital assistant, or even a single smart light bulb – you already have.
How would you feel if your government, foreign governments or hackers turned your Siri or Fitbit into a Stasi-era wiretapping device and listened in on private, personal conversations that took place in your own home?
Well, with half the western world convinced they can’t live without the latest, must-have, aspirational products, whole populations gleefully spend their hard-earned money on smartphones and gadgets. In Big Brother’s dream turned into reality, they voluntarily install these devices in teir homes or carry them on their person 24/7.
Smart devices such as Alexa, Siri and other Digital Assistants are just the first baby steps towards the Internet of Things (IoT). Within a decade, nearly every home appliance and whole smart homes will offer connectivity via wifi or Bluetooth and therefore be vulnerable to attack.
The Internet of Things will certainly make our lives easier, but at what cost?
The more personal freedom we acquire through technology, the more privacy we must give up and the more open to exploits we become.
Today, we’ll mainly be using the incredibly popular Amazon Echo (“Alexa”) digital assistant as metaphor for present and future IoT devices. However, to locate smart speakers’ vulnerabilities, we must first understand the tech that makes them tick.
How Do Smart Speakers Work?
If you’re not familiar with voice-activated devices you may be surprised to hear that if you take an Amazon Echo apart, you’ll find little more than:
A tweeter, a tiny subwoofer, some LEDs, 7 microphones, a 250MB Samsung mobile DRAM, a 4GB Toshiba eMMC NAND flash storage chip, a Qualcomm QCA6234 Dual-Band 802.11n and Bluetooth 4.0 chip. From Texas Instruments – a DM3725 Digital Media Processor, a programmable LED Driver, a stereo audio analogue-to-digital converter (ADC) and an integrated power management IC – which is a tiny amount of kit.
That’s because all the brainy stuff – a combination of automatic speech recognition (ASR) and natural language understanding (NLU) occurs within Amazon’s cloud-computing service. The spying device smart speaker in your home is really just Alexa’s ears… and mouth.
Upon hearing the wake word, ‘Alexa’ in Amazon’s case or ‘Siri’ for Apple or ‘OK, Google’, the internal computer begins recording your voice. Then when you’ve finished speaking, the device encrypts and sends this recording over the Internet to Amazon’s cloud where Alexa Voice Services (AVS) convert your voice into commands via a simple voice-to-text service.
Does Alexa Record Your Every Word?
Yes. In order to hear the wake word, digital assistants are always passively listening for their awake command and, therefore, are recording your every word 24/7.
Amazon insists these unused recordings are erased every 60 seconds. The device does locally store 60 seconds of audio preceding the wake word, but transmits only a fraction of a second of audio preceding your wake word plus your actual query.
This eavesdropping feature can be turned off with the mute/unmute button. The “always listening” microphones will shut off until you’re ready to turn them back on and you can erase your entire search history on Amazon’s website under “Manage my device”.
What Happens To Recordings?
According to Wired, while Apple does log and store all Siri requests, it associates them to a random string of numbers instead of an Apple ID or e-mail address. Apple deletes those associations after six months (then keeps the disassociated files for up to 18 more months for testing and product improvement purposes.)
Amazon and Google histories, on the other hand, stay there until you decide to delete them, while Microsoft’s Cortana combines cloud-stored data and data stored on your device. The downside of deleting your history is that Alexa’s ‘A.I.’ also forgets all which she’s learnt about you!
What Are Smart Speakers’ Vulnerabilities?
With an estimated 20 million (largely unmanaged and closed sourced) devices potentially at risk to cyber threats via the BlueBorne Bluetooth exploit, new Wi-Fi vulnerabilities were also discovered in Broadcom’s chips (Broadpwn) and within the WPA2 protocol itself.
Furthermore, Armis warns that most users are “unaware their Bluetooth implementation is based on potentially vulnerable code borrowed from Linux and Android:”
Therefore, Amazon Echo devices are affected by at least two vulnerabilities:
- Remote code execution vulnerability in the Linux Kernel (CVE-2017-1000251)
- Information leak vulnerability in the SDP Server (CVE-2017-1000250)
These vulnerabilities can lead to a complete takeover of the device. Amazon has issued a patch and suggests Echo users update their devices to version v591448720 or later.
So, Can IoT & Smart Devices Be Hacked?
A few short years ago, security experts discussed IoT attacks as a distant future potential threat, but now they are very real, and becoming more prevalent. Some of these first IoT attacks occurred when Mirai malware hijacked over 100,000 IoT devices and coordinated DDoS (Distributed Denial of Service) attacks on cybersecurity journalist Brian Krebs and DNS provider Dyn, which temporarily took down Twitter, Spotify and Reddit.
The Amazon Echo is similarly open to hijacking. Its 7 microphones pick up frequencies of up to 42,000 Hz, and researchers from China’s Zhejiang University attacked Alexa by inputting commands as DolphinAttacks – ultrasonic frequencies outside the range of human hearing.
During February’s Super Bowl (watched by 111 million people), a Google Home commercial featured people saying “OK Google” caused devices across America to light up!
Mark Barnes of MWR Security gained root access to the Echo via exposed diagnostic pads on the bottom of the device (these have been removed for 2017 models). Once connected, Barnes installed his own software that effectively acts as a wiretap, recording audio to his eavesdropping computer. Echo’s 7 microphones “pick up a whisper, and in playback, the sound quality couldn’t be clearer. If this were repeated in a criminal setting, the sensitivity of those microphones would be a boon to anyone listening in.”
Of course, Barnes’ physical attack required hours alone with the device, but with (encrypted) information travelling via Bluetooth to cloud-services, any data could, in theory, be vulnerable to both plug and play hacks and airborne attacks. Both could spread malware laterally to adjacent devices, access corporate networks and steal sensitive personal information.
So, the short answer is yes – there are a number of ways to hack smart speakers. But now that we know how vulnerable the device is and that Alexa stores your recordings in the cloud, what are the implications, and how might this technology be used against us in the future?
Real World Implications
James Andrew Bates, of Bentonville, Arkansas was charged with first-degree murder after a man named Victor Collins was found dead in Bates’ hot tub in November 2015.
According to this report, Bates owned several connected devices, including a Nest thermostat, a Honeywell alarm system, and an Amazon Echo. During their investigations, Arkansas police issued a warrant to Amazon requesting data in the form of audio recordings, transcribed records, and other text records from Bates’ Echo device. Notably, Amazon declined the warrant twice before Bates voluntarily handed them over.
The future is already here. According to a recent survey of Armis clients and deployments, “82% of companies have an Amazon Echo device in their corporate environment. In many cases, Corporate IT may not be aware that these IoT devices are even on the network.”
As IoT products – from smartphones, computers and speakers to smart refrigerators, TV’s, watches, Fitbits – invade our homes, workplaces, gyms and hotels, the numbers of ways they can be exploited will grow accordingly. In this video, Armis Labs suggest that BlueBorne could spread across 5.3 billion connected devices, across Android, Windows, Linux and iOS.
This means, just as service providers must improve safeguards against identity theft via data breaches, they will also have to protect users’ personal safety.
Picture a scene where burglars access your Philips Smart light bulb app or Hotpoint oven app to find out at what time you arrive at home? Who is culpable – you or Philips/Hotpoint?
Imagine a future where hackers can intercept and listen in on celebrities live gossip, businessmen’s financial deals or (mentioning no names) a politician’s bedroom proclivities in a Russian hotel could be subject to blackmail. In the future, the most innocuous joke made in your home amongst good friends could land you in trouble if the wrong people are listening.
The one essential future lesson to be learnt is that we must treat IoT devices as we do our phones or computers. Make sure all devices have a passcode, pay particular attention to which functions are enabled and think about how the device is secured – via wifi or Bluetooth, and whether you can turn this functionality off. Update devices as regularly as your PC and turn off Bluetooth when you’re not using it. But this is just a starting point. There is much more to secure and think about.
If we don’t, the famous Miranda rights that police read while making arrests, “You have the right to remain silent, anything you say may be used as evidence against you…” might soon mean ‘anything we say’. Ever. And anywhere.