Monday, March 6, 2017

Amazon Echo, Google Alexa, and the NSA

Amazon Echo and Google's Alexa are Internet Of Things devices that listen for your voice commands and then do not particularly interesting things for you.  The minor convenience and gee whiz factor are way outweighed by how you are painting a big bulls eye on your house:
As a rule, IoT devices lack security and these are no different. Unlike other IoT devices, these personal assistants compromise your security in even more ways they you may think. In general, most users don’t read the Terms of Service (ToS) associated with IoT devices or software being installed. Users have a basic understanding that Amazon and Google will maintain your profile information, such as what music you listen to, when you turn off your lights, or even the coffee you order, in an effort to provide a better over-all experience. Over time these devices learn your preferences; the more intuitive and responsive the device, the more we tend to use it. 

What is more alarming is what you don’t think about when using these voice activated devices including those from Apple and Microsoft. There has been a lot of discussion around the security and privacy of these devices over the past few months. One of the biggest concerns is the question of whether the devices are always listening. Both Amazon and Google say the devices listen for hot words that activate them, such has Hello Google or Echo/Alexa, but because these devices are controlled by and interact with by Amazon and Google, the hot words and or the device itself can be easily manipulated to allow for an always on “listening mode” by the vendor at any time by the way of a crafty term of service
How's the security of these devices?  You can't know.  What will the Terms Of Service provide to protect your privacy?  You can't know:
Amazon: In order to keep the Amazon Software up-to-date, we may offer automatic or manual updates at any time and without notice to you.

Google: When a Service requires or includes downloadable software, this software may update automatically on your device once a new version or feature is available…
So the services can update the software without your knowledge, whenever they want, for any reason they want.  The terms of service state that they may sell or share your data to other organizations.  And this is creepy but entirely to be expected:
In addition to the vendor maintaining access to the device, it isn’t unfathomable that cyber-criminals could gain access as well. These are, after all, IoT devices and are just as vulnerable to being pwnd (geek speak meaning owned/or controlled) as any other IoT device. Both devices have indicators when they are in listening mode, however this can be easily disabled by a hacker. A hacker could be listening to your every word and you would not be aware.
And so would NSA listen in?  The Snowden revelations suggest that they might already be listening in.  How much data do they have?  Who knows?

It will be a cold day in Hell when one of these things shows up at Castle Borepatch.

8 comments:

Ken said...

Nor a NEST thermostat, nor Web-enabled fridge, door locks, etc.

Bob Tamewitz said...

I don't have any of that stuff and don't intend to ever get them. My boss used to call me the Fox Mulder of our company. Trust no one. And I don't........

B said...

Your phone does the same, if it is IoS or Android/Google operating system. Tablets too.

Old NFO said...

Same here... I don't allow ANYTHING to update on its own, EVER!

Comrade Misfit said...

I fully agree, which is why I'll keep my dumb old CRT TV, too.

matism said...

Your computer does the same, if it is Crapple or Macroslop. Count on both having provided backdoors to the Only Ones. Not just to be able to read and write any file on the computer, but to see and hear anything through any attached cameras or microphones as well.

And Comrade Misfit, you don't have to keep the CRT TV as long as you're smart enough not to get any flatscreen that is internet capable. Wireless counts, because as long as it has an IP address you're vulnerable. It's possible that set-top boxes might be sufficient to feed info back home, but you've got the same issue there regardless of whether the tube is a really tube or instead a buncha LCDs.

Comrade Misfit said...

Matism, I'm reasonably confident that all my set-top box is going to send back is that I like watching Mannix, and that the Weax Channel is usually the one that's on.

So unless they're going to send me ads for storm gear, Plymouth Barracudas or Detective Specials, I can live with that.

matism said...

If you're confident that's the case, Comrade Misfit, then get you an LCD tube. But with no internet connection.

I don't do TV (and haven't since they went digital several years back), but if I did, I would expect that the set-top box would be capable of sending back MORE than what you state.