Most IoT device security is pretty terrible, so you’re probably assuming that virtual assistant devices like Amazon Echo and Google Home are a major risk. After all, these devices record all nearby conversations (at least temporarily). But while Alexa does pose some privacy issues, we don’t consider it a major security risk.
Why? Two reasons. First, major companies like Amazon, Google and Apple take security seriously and their devices are quite hardened. In fact, we tested an Echo Dot as part of a recent IoT pen testing project and it passed all our security assessments. Companies like Amazon and Google put in the time and effort to make their products secure (not impossible to hack, but much more secure than an IoT webcam or a device from a minor manufacturer).
Second, an Echo is a low-value target for a hacker. These home automation devices don’t store data long-term; they record it, transmit it, then delete it. So hacking an individual Echo could net a hacker some personal information on a few people, but hacking a major website’s database could get them personal information on hundreds of thousands of people. In short, there are plenty of less-secure devices and platforms that can yield a great reward for bad guys.
While it’s highly unlikely a cybercriminal will hack your virtual assistant device, we do advise that individuals avoid discussing sensitive information near an always-on listening products like Echo. Businesses should also segment all IoT devices including virtual assistants from their corporate network in case one of them is infected.
Read more about virtual assistant security here on Secplicity and in CSO Online. For more on IoT security, check out WatchGuard CTO Corey Nachreiner’s article about why home gaming consoles might be the most secure device in your home.