“By sitting in the alcove, and keeping well back, Winston was able to remain outside the range of the telescreen, so far as sight went. He could be heard, of course, but so long as he stayed in his present position he could not be seen.”
The above quote is a snippet from George Orwell’s dystopian-themed novel 1984, where Big Brother is constantly monitoring devices called telescreens installed in everyone’s home.
With that eerie similarity, we’ve seen the explosion of virtual home assistants, especially Amazon’s Alexa, make their way into our homes. Unfortunately, I think people are rushing towards convenience without thoroughly thinking through the privacy ramifications of these systems. (I know the example of Alexa vs Orwellian monitors is a bit over the top, but it’s the first thing I thought of when researching these devices.) Before diving headlong into the world of Alexa and of other virtual assistants, let’s take a precautionary look at the risks of going down this path.
Let’s get an understanding of how Alexa works. These systems are small household devices that dutifully listen for their “wake word.” These words trigger Alexa to “turn on” and respond to the question or command being asked. With Amazon, the wake word is “Alexa,” followed by input commands tied into a “skill” or something Alexa is programmed to perform after being commanded. These systems are always on, meaning exactly what it sounds like: They’re always listening.
When the wake word is spoken, it actually takes a few seconds of recorded data before the wake word and about 60 seconds in recorded data in total. This data is stored locally and sent up to the cloud for analysis and to assist with Alexa’s logic. By default, this data is sent to Amazon’s AWS storage over port 443 and is encrypted in transit. The data is then reviewed by Alexa Voice Services (AVS) in the cloud and interpreted based off Alexa’s programming. These recordings are also used to better understand speech by Amazon, helping to teach its A.I. about accents and speech recognition.
One of the biggest selling points for Amazon is its ability to have other apps integrate with it, something which will constitute a huge privacy/security concern going forward. Amazon has created a framework called the Alexa Skills Kit (ASK), which is a collection of third-party requirements on how to develop a custom skill or function into Alexa. These custom integrations don’t have to stay on AWS and can be hosted elsewhere as long as they’re communicated securely via 443. It’s with these Skill Kits that Alexa is able to communicate with home devices and custom content. The possibilities are endless.
My first concern with these systems is that they’re always on, recording you in the privacy of your own home. Many people may feel comfortable with this but, in my opinion, your home is the place where you should have complete privacy if you want it. At what point will you no longer feel alone in a room? Might you feel cautious about what you say in private to a family member if you know you’re being recorded? At what point will you no longer care? I’m not sure what’s scarier, but these questions need to be asked.
The security concerns on these devices are also something to be concerned with. We’ve seen the rise of insecure Internet of Things (IoT) devices over the past year, and this is adding another device to the fray. No one envisioned traffic cameras and DVRs would be used to take down half the internet with a DDoS attack, and we should be suspicious about adding any new device to our home without considering the security ramifications.
What happens if this device is compromised? With third-party integrations building skills into Alexa, how will my data be protected on their site? Will it be mined and sold? Do I want my children’s voices and questions in the hands of marketers, and how does this apply to the Child Online Privacy Protection Rule (COPPA)? We’ve seen malware made for almost everything, and it’s just a matter of time before attackers focus their attention on abusing similar services.
If we can create personal integration to open our homes, turn on lights, and interact with our real lives, we’re inviting malicious attackers to do the same. What if they have the ability to pull bank and health information just because you’ve made inquiries to Alexa regarding them? What if malicious access to the systems turns your heat on for a period of time and causes a fire? What if it drops heat and causes someone elderly to freeze? Convenience isn’t always a safe thing.
“We do not guarantee that Alexa or its functionality or content (including traffic, health, or stock information) is accurate, reliable, or complete. Alexa may allow you to interact with or operate other products, such as lights, appliances, or locks, and Amazon has no responsibility or liability for such products.”
They also have the ability to have your data stored in services outside the country if they want. Finally, if they decided to add additional services or add another wake word, they could do so at a time of their choosing, leaving a new software update a risk by saying.
Having your life connected verbally and with all systems has its benefits but in the long-term, I think having them connected will be more of a risk. You do have the ability to remove and delete parts of your conversation, which is good, but according to Amazon, this will degrade the experience. So Amazon, of course, doesn’t recommend it.
Since I still have my tinfoil hat on, let’s continue with our example of Big Brother in 1984.
Fact: One of Amazon’s largest customers is the CIA. Yes, that’s correct. A few years back, the American government signed a deal worth $600 million dollars to work with Amazon. Anyone who’s in business knows you don’t want to disturb your largest customers. I’m personally concerned that huge deals like this with the government will make Amazon more lenient towards following through with pressure from them when it comes to surveillance requests in the future. Now, before you say Amazon would never succumb to such pressure, let us not forget how they treated WikiLeaks, who was hosting their site on AWS. Amazon brought down WikiLeaks after the government requested they do so. Large customers always have a lot of pull, especially when they’re a nation-state.
We’ve also recently read about the murder investigation with which the Arkansas police is requesting Amazon’s assistance. They’re looking for any data Amazon might have recorded during the time of the alleged murder and if it could be used for their case. Amazon has currently been quoted as saying the following:
“Amazon objects to overbroad or otherwise inappropriate demands as a matter of course.”
But in all honesty, how is this any different than other mobile data or cell phone usage? It’s only a matter of time before Amazon will fulfill these requests with appropriate warrants, and rightfully so, but this is yet another area of surveillance and privacy we’re losing as a society.
We’re in the beginning phases of virtual assistants injecting themselves into our lives, and with the holidays having passed us, we’ve seen these devices show up as gifts in our homes without much of an afterthought (Trojan horse?). These devices aren’t here to make your lives easier, like what they’re being sold as. They’re an entry point for a business to enter into your home.
As time goes by, I think we’ll see these devices take a greater role than they were initially marketed as and will become, like smartphones are today, a view into your private world (e.g. when video will be added). These devices are programmed to tell jokes and interact in human ways, and in doing so, they are programming us to trust them.
In the comfort of your own home, you have a level of privacy that you assume, but when you’re being recorded, it’s eerily similar to the dystopian society described by Orwell in his book 1984, with Big Brother listening in every room. Except, in this instance, we’ve installed him/her, or should I say “adopted” them, into our family.
About the Author: Matthew Pascucci is a Security Architect, Privacy Advocate and Security Blogger. He holds multiple information security certificates and has had the opportunity to write and speak about cyber security for the past decade. He’s the founder of www.frontlinesentinel.com and can be contacted via his blog, on Twitter @matthewpascucci, or via email firstname.lastname@example.org.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.