A quick three minute video
Echo and the NSA

Voice Active IoT Collects Too Much Information, Including Your Voice Biometric

This year’s hottest IoT devices are the personal assistants from Amazon and Google. These devices connect to your wireless network and within minutes are communicating to Amazon or Google to provide an unprecedented level of service… which is exactly the problem.

As a rule, IoT devices lack security and these are no different. Unlike other IoT devices, these personal assistants compromise your security in even more ways they you may think. In general, most users don’t read the Terms of Service (ToS) associated with IoT devices or software being installed. Users have a basic understanding that Amazon and Google will maintain your profile information, such as what music you listen to, when you turn off your lights, or even the coffee you order, in an effort to provide a better over-all experience. Over time these devices learn your preferences; the more intuitive and responsive the device, the more we tend to use it.

What is more alarming is what you don’t think about when using these voice activated devices including those from Apple and Microsoft. There has been a lot of discussion around the security and privacy of these devices over the past few months. One of the biggest concerns is the question of whether the devices are always listening. Both Amazon and Google say the devices listen for hot words that activate them, such has Hello Google or Echo/Alexa, but because these devices are controlled by and interact with by Amazon and Google, the hot words and or the device itself can be easily manipulated to allow for an always on “listening mode” by the vendor at any time by the way of a crafty term of service:

Amazon: In order to keep the Amazon Software up-to-date, we may offer automatic or manual updates at any time and without notice to you.

Google: When a Service requires or includes downloadable software, this software may update automatically on your device once a new version or feature is available…

In addition to the vendor maintaining access to the device, it isn’t unfathomable that cyber-criminals could gain access as well. These are, after all, IoT devices and are just as vulnerable to being pwnd (geek speak meaning owned/or controlled) as any other IoT device. Both devices have indicators when they are in listening mode, however this can be easily disabled by a hacker. A hacker could be listening to your every word and you would not be aware. This, however, is not the most alarming part of the story. These devices and associated services keep track of your likes and dislikes, what you purchase, what you listen to as well your location and your voice patterns (biometrics). That’s a lot of information to freely turn over to a private company.

Oddly, we protest about government surveillance programs such as PRISM in the US and GCHQ in the UK – programs that are designed to protect a nation and its citizenship, but we freely give more identifiable information to private companies for the benefit of playing music, getting traffic reports, and ordering coffee.

Now that Amazon and Google has all your information what do they do with it, or what can they do with it?

Amazon Terms of Service

Voice Services: You control Alexa with your voice. Alexa streams audio to the cloud when you interact with Alexa. Alexa processes and retains your voice input and other information, such as your music playlists and your Alexa to-do and shopping lists, in the cloud to respond to your requests and improve our services…

Business Transfers: As we continue to develop our business, we might sell or buy stores, subsidiaries, or business units. In such transactions, customer information generally is one of the transferred business assets but remains subject to the promises made in any pre-existing Privacy Notice (unless, of course, the customer consents otherwise)…

Google Terms of Service

When you upload, submit, store, send or receive content to or through our Services, you give Google (and those we work with) a worldwide license to use, host, store, reproduce, modify, create derivative works (such as those resulting from translations, adaptations or other changes we make so that your content works better with our Services), communicate, publish, publicly perform, publicly display and distribute such content…

Based on the terms of service, these vendors can sell or use your personal information including your voice biometrics, which is alarming. If this information could theoretically be stolen or transferred to a governmental agency, such as NSA or GCHQ. The NSA surveillance programs collect communication data globally, if you were to combine the data they already gather with voice biometrics from Amazon, Google, Apple, and Microsoft they would now be able to identify users and locations with much greater accuracy.

Unlike the majority of IoT devices where threats can be mitigated, these voice command devices such as the Echo or Google home are designed to capture information including voice biometric and cannot be mediated. You must rely on the vendor (Google and Amazon) to keep your data secure and hope it’s not stolen or shared with any governmental agency which, unfortunately, there is no guarantee of that.

If you use these devices you must accept the risks. These risks are increasing every day with every use of Siri, Cortana, Echo, and Google home, and the risks are significant.

Update 12/28:

Arkansas PD requested informaiton from Amazon regarding Echo and voice records. Amazon twice refused the requests from Bentonville law enforcement. Amazon said: “Amazon will not release customer information without a valid and binding legal demand properly served on us. Amazon objects to overbroad or otherwise inappropriate demands as a matter of course.” What this is saying is get a proper subpoena and we will provde the information.

A couple of great fiction books that aren’t too far from the truth and put things in perspective are Digital Fortress by Dan Brown and The Shadow Factory by James Bamford and Data and Goliath by Bruce Schneier. These books were written in 1996 and 2009 and 2015 respectively and are still relevant.