Security News

Could smart speakers undo your smart home?

Martin Hron, 17 September 2018

Avast Security Researcher Martin Hron explains why your smart speakers may be the next big target.

Juniper Research predicts that by 2022 more than half the homes in the U.S. will contain smart speakers like today’s popular Amazon Alexa and Google Home, and it’s easy to see why. Providing the answer to any question we can dream up, producing music and other entertainment on demand, handling our online shopping, they are one giant step towards the personal droid assistants we’ve all been craving since meeting C-3PO and R2-D2.

But as irresistible as they are to today’s consumers, they are doubly so to cybercriminals, who want to hack into as many as they can. These smart speakers accumulate personal info and deep-level permissions the more we incorporate them into our lives, and they become virtual (and literal) treasure troves to criminals looking to steal your identity or your money.

There are two security issues we can flag right out of the gate —  poor built-in security and overeagerness to get it set up and working. Developers who are more interested in making the devices as easy and convenient as possible oftentimes do not dedicate much development to security. With such a device, the good news is that it sets up in a snap, but the bad news is it can also be hacked in a snap. On top of this poor security, users are typically so excited to experience the convenience that they don’t take time to change the default settings first.  

Alexa, read me Bill’s emails

If the smart speaker stays in its default setting as the user proceeds to link various accounts to it — Spotify, Amazon, Google — then permission to access those accounts has been granted to anyone who asks Alexa for it. Users need to adopt the habit of making every login as secure as possible when setting up a new account or device.

The command is coming from outside the house

The key to hacking your smart speaker, and any of your IoT devices, is through your router, which is the gateway to your entire connected home network. If the hacker gets into the router, he or she can potentially compromise every computer and device connected to it. And if any of those devices besides the smart speaker has audio capabilities, the hacker can have the device vocalize commands to the smart speaker, for instance having it unlock the front door or open the garage. Before you know it, all your little devices are communicating with each other like an army of betrayers.

Potential hidden flaws

Smart speakers, and IoT devices in general, are a relatively new technology, which should make any tech-savvy user a little wary. Some speakers have already been affected by the BlueBorne bluetooth vulnerability.  It would be a crime (literally) if another Eternal Blue incident occurred, i.e. a critical flaw found in a device or computer that’s already been widely distributed. Could there be an unknown vulnerability built into smart speakers, just waiting for a cybercriminal to discover and exploit it? Hopefully not, but those of us in cybersecurity are watching the IoT industry carefully.

Right now, smart speakers are typically targeted as part of a wider attack, such as Bluetooth hacks and router hijacking. As more households install smart speakers, and more people begin relying on them, I suspect we will start seeing cyberattacks targeted specifically at smart speakers for the riches they unlock.

For now, smart speaker owners should stay aware of the risks. At the very least, change the default settings to boost security during installation of the device, but even better would be strong security protection for your router. My wish is that smart speakers and IoT devices would come with high-security measures as the default, so that we would have to opt out in order to weaken our security. Unfortunately, in the name of convenience, it’s the other way around currently, so the best we can all do is stay knowledgeable and vigilant.