Join IoT Central | Join our LinkedIn Group | Post on IoT Central

Keeping Voice-Activated Smart Home Device From Talking to the Wrong People

The introduction of voice-activated smart home solutions – like Amazon Echo and Dot, Google Home, and Apple’s HomePod – have brought with them the dream of convenient Star Trek-like interfaces where a user’s spoken wish is their command. But at the same time, these devices have served as a Trojan Horse, increasingly inviting in security issues and unintended consequences. The greatest security vulnerabilities created by these products are due to the fact that, while they prominently feature advanced voice recognition, they cannot really tell who’s talking. The dangers this presents are compounded when the devices feature the ability to make purchases (with few safeguards under default settings), as well as control smart home features (lights, thermostats, locks, etc.) that users do not want malicious actors to be able to manipulate.


These factors have contributed to a number of actual events, which land somewhere between fascinating and frightening as to the level of harm they represent – but all should certainly provoke concern. In one story, a local news report told the tale of a child who managed to order a dollhouse and cookies from the family’s Amazon Echo, and actually repeated and amplified the issue. Viewers of the segment then complained that their own Amazon devices responded to the voice on the television by attempting to order dollhouses. In another example, an ad campaign for Burger King took advantage of Google Home devices in an innocuous but troublesome manner, purposefully triggering the devices to begin reading the Wikipedia entry for the Whopper aloud in people’s homes. Google soon took action to stop Home devices from responding to the ad, but the security issue was clearly demonstrated.


The companies behind these devices are tasked with performing something of a balancing act: customers want full featured devices with the convenience of easy purchasing and control over their homes by voice, but those features can be at odds with the cumbersome security measures that would ensure greater safety. These providers will certainly iterate and work to address these issues, but, in the meantime, there are a number of steps that users ought to take to improve security on these voice-activated devices now. These include:


1) Customize your device’s “wake up” word.

Whether it’s “Alexa” or “OK Google” or “Hey Siri,” the default phrases that tell devices to start listening for commands are widely known – and therefore easily exploited by those with less-than-charitable intentions. Where the device allows this initial command to be personalized to a custom term that isn’t commonly used, doing so will thwart many basic attempts to cause trouble.


2) Choose the device’s location wisely.

Placing your device near the TV is an obvious source of trouble, as proven by the examples above. Keeping the device away from windows, doors, and any other devices with speakers will further help avoid the triggering of accidental or malicious voice commands. (Certainly a scenario where anyone can say “Alexa, unlock the front door” through a cracked window to gain access represents a major problem.)


3) Disable purchasing by voice.

Unless you love purchasing by voice and have full confidence that no other entity is in a position to speak with your device, it’s a good idea to disable this option. It’s similarly smart to enable text or email alerts that let you know when products are ordered with your accounts, so you can address any issues quickly.


4) Limit the command over other smart home devices to the essentials.

It’s tempting to give your voice-activated smart home hub full access to all those new intelligent devices, for both convenience’s sake and a sense of holistic control. For the security of your home and your money, however, it can be smarter to separate out more sensitive systems – even if it means jumping through an extra hoop (which unauthorized users can’t).


5) “Mute” the device when not in use.

With both Amazon Alexa products and Google Home, it’s possible to mute the devices so that they won’t listen for instructions until re-enabled. While this limits the spontaneity with which you can issue commands, it also confines issues extremely effectively.


6) Review default settings and security when installing a new device.

Finally, it’s always better to prevent issues than respond to them. When setting up a voice-activated device in your home, be sure to explore the security profile of the device at that point (before engaging in regular use). It’s a much better experience than later asking your device how to return the dollhouse your TV ordered by accident.

photo: Amazon

Jeff Finn is CEO at zvelo, a provider of content and device categorization, as well as malicious botnet detection services.