Smart devices have revolutionized the home, from Alexa to Google Home and beyond. According to a report, as of 2020, the number of smart speakers in use was 320 million. Experts predict the usage percentage will double by 2024-end. However, with this technology comes new safety concerns. Smart speakers can record audio and send it for analysis. This means that anyone who has access to your smart speaker may be able to listen in on conversations you have in your home or office!
What are smart home speakers?
Smart home speakers are intelligent devices that have a voice assistant (and microphone) with the speaker. Using that voice assistant support, users can activate the assistant and give commands to execute a task. Users often use smart home speakers to control wireless-enabled lights, gather weather forecasts, read web pages, or order various products. Some well-known smart home speakers are Google Home, Amazon Alexa, Apple HomePod, Zebronics Zeb-Smart Bot, and Amazon Echo.
Cyber threat example - Google Home
Every type of technology has security flaws, and this includes smart home speakers. Security researcher Matt Kunze discovered a flaw in Google Home speakers that allowed hackers to install a backdoor account. This backdoor allowed the hacker to control the speaker remotely and use it as a listening device. He found that he could add a new account using the Google Home app and send commands remotely via the cloud API. While scanning with Nmap, the researcher found the port for the local HTTP API of Google Home. So, he prepared a proxy to capture the encrypted HTTPS traffic. The researcher wanted to grab the user authorization token. He found that adding a new user account within the target device required only two steps. It required the device name, certificate, and "cloud ID" fetched from the local API to set a link and send requests to the Google server. Last year, Matt Kunze was awarded US$ 107,500 for responsibly informing Google about the threat.
Security threats associated with home speakers
Illegal access: According to the security researcher Matt Kunze's report, attackers can add a rogue user account to smart home devices like Google Home. Then, they can automate the exfiltration of the local device data, remotely control the device, and reproduce the linking request with the compromised smart device.
Privacy issues: Brands like Google and Amazon lead the global smart speaker market. Since data is the new oil, and these massive companies are data-centric, users must have a fair idea about their default privacy configuration and how to change these default settings. Smart home speakers can gather vast amounts of data without your knowledge. Bugs or errors in these devices' software could turn smart speakers into surveillance units.
Tap or misuse phone calls: Researcher Matt Kunze discovered that attackers might abuse the "call [phone number]" command in these smart speakers. They can remotely activate the microphone at a specific time and listen to the live microphone feed. For Google Home, the LED will turn blue. It is the only indicator of ongoing activity. Even if the victim notices it, they might think the smart home speaker is updating the firmware.
Tips & best practices
Watch what you connect: Be aware of the devices you connect to your smart home speakers. It is a good practice to avoid linking security functionalities like a door lock or a surveillance camera to such devices.
Become familiar with the privacy settings: As a concerned user, dive into the security and privacy settings to customize your privacy measures. This way, cybercriminals cannot take advantage of the default settings.
Mute the microphone: Manually mute the microphone using the physical button when you are not using the device.
Delete history: Periodically, delete all command history and erase local or cloud storage of past recordings. This way, if an attacker accesses the device
storage, they will not have your entire user history.
Smart speakers are a fantastic tool to help automate your daily life. However, due to the current level of security, these devices are vulnerable to cyberattacks. As a user, you should be aware of the possible threats and take necessary precautions for your own safety. Be sure to closely monitor any suspicious behaviour on your smart home device and consult experts if needed.