Most IoT device security is pretty terrible, so you’re probably assuming that virtual assistant devices like Amazon Echo and Google Home are a major risk. After all, these devices record all nearby conversations (at least temporarily). But while Alexa does pose some privacy issues, we don’t consider it a major security risk.
Why? Two reasons. First, major companies like Amazon, Google and Apple take security seriously and their devices are quite hardened. In fact, we tested an Echo Dot as part of a recent IoT pen testing project and it passed all our security assessments. Companies like Amazon and Google put in the time and effort to make their products secure (not impossible to hack, but much more secure than an IoT webcam or a device from a minor manufacturer).
Second, an Echo is a low-value target for a hacker. These home automation devices don’t store data long-term; they record it, transmit it, then delete it. So hacking an individual Echo could net a hacker some personal information on a few people, but hacking a major website’s database could get them personal information on hundreds of thousands of people. In short, there are plenty of less-secure devices and platforms that can yield a great reward for bad guys.
While it’s highly unlikely a cybercriminal will hack your virtual assistant device, we do advise that individuals avoid discussing sensitive information near an always-on listening products like Echo. Businesses should also segment all IoT devices including virtual assistants from their corporate network in case one of them is infected.
Read more about virtual assistant security here on Secplicity and in CSO Online. For more on IoT security, check out WatchGuard CTO Corey Nachreiner’s article about why home gaming consoles might be the most secure device in your home.
Mehgan says
Let me start off by saying this is a great read and definitely something to think about!
However, I thought you should be made aware that there is a spelling error in the third paragraph in the last sentence, “plenty of less-secure devices and platforms that can yield a great reword for bad guys. “
Kurt Silton says
I’m not that concerned about these individual devices in my home for the very reasons you state in the article. But, I am very concerned about what Apple, Google, and Amazon are doing with what they have heard other than what the user intended. Can they mine the conversations for marketing opportunities above and beyond what a user intends? Can the government require that Amazon. Apple, Google turn over their data about a user? How much conversation is really stored? What are the privacy implications? And what happens when Google’s server is hacked?
Mike says
I suggest not just businesses, but also home users segment IoT devices from the rest of their network. Short of actually creating two networks, many modern wireless routers offer a guest network which is a better option for these devices, IMO.