Home security and bad actors. PHOTO: Cybercrime Magazine.

Home Security: Is Your Smart Speaker Talking To The Bad Guys

Google Home and Amazon Alexa are very attractive targets for cybercriminals

Martin Hron, Security Researcher at Avast

Prague – Apr. 16, 2018

Maybe you have a Google Home or an Amazon Alexa in your home? You wouldn’t be alone — Juniper Research predicts that smart devices of this kind will be in 55 percent of U.S. homes by 2022. Whether you use your smart speakers to wake up on time for work, to play music, or to buy items online, the truth is that they will over time gather and hold valuable personal data about you and your habits. This makes them a very attractive target for cybercriminals interested in stealing your money or your identity.

It’s only a matter of time until we see smart speakers like this under attack by bad actors. Many of the cheaper types are designed to be as convenient as possible from the moment their owners take them out of the box and are therefore not built with security in mind, so their default settings are generally weak. The initial setup takes just a few minutes, which may be an attractive feature of convenience for users, but is actually bad when it comes to security.

How users set up their smart speakers and what they allow them to do on their behalf is a crucial part of the security level. Many users probably do not consider adjusting a smart speaker’s default settings, either because they are unaware of the security risks or because they trust the device is completely secure.

Personal emails for anyone’s ears

The first thing many do when setting up their smart speaker is link various accounts to it, such as their Amazon account, Google Mail and Calendar, and their Spotify account, using the device’s default settings. These seemingly innocent actions can have major consequences. Without secure logins, such as not requiring the smart speaker to verify the action is being commanded by the actual owner of the device, the smart speaker can do things like reading emails aloud or placing an order, regardless of who is asking. This means that family members or anyone visiting a home with a smart speaker, welcomed or not, can draw personal information from the device.

Creepy remote orders from the outside

Hackers don’t necessarily need to be in range of a smart speaker to make it do things on their behalf, nor do they even have to hack the smart device. Attackers can hack into a network through a vulnerable router and from there hack other IoT devices connected to it. Hacking another vulnerable smart device that is capable of playing recordings gives hackers the power to speak to a smart speaker. If a smart speaker is set up poorly, it will do anything anyone tells it to.

Take for example the situation where a bad actor can also abuse smart speakers to gain physical access into a home. If a smart door lock is connected to a smart speaker, a burglar could either command the smart speaker through a window to open the lock or hack into the home network and have another device command the smart speaker to unlock the front door.

 Waiting for the inevitable vulnerability

While bad actors, people with malicious intentions, are the biggest threat to smart speakers, it is inevitable that we will soon see attackers who deliberately target smart speakers directly. They will most likely do this by exploiting currently unknown vulnerabilities. Last year, an exploit called “BlueBorne” was discovered; it allowed anyone within range of a Bluetooth-enabled device to take control of the device, provided they had the right tools — tools that were readily available. The Alexa smart speaker was one of the devices that could be hacked using the exploit.

There is also the concern about vulnerabilities we haven’t found. It often happens that vulnerabilities come to light years later, meaning IoT devices, like smart speakers, could already contain vulnerabilities — we just don’t know it yet. EternalBlue is one example of this.

EternalBlue had existed in Windows as far back as Windows XP. It became widely known in 2017 as it allowed attackers to carry out the largest ransomware attack in history, dubbed “WannaCry.” Reports indicate that the NSA discovered the EternalBlue vulnerability and kept it secret. It is not known when exactly EternalBlue was discovered by the NSA, but it is thought they may have discovered it shortly before it fell into the wrong hands. EternalBlue is the perfect example of how a vulnerability, which had flown under the radar for years, can come to light and allow cybercriminals to wreak havoc.

Awareness for security and privacy risks is key

The more we surround ourselves with IoT devices, like smart speakers, the more motivation the bad guys will have to target them. Smart speakers, in particular, are an interesting target as they are designed to soak up a plethora of personal information and, in most cases, have access to various personal accounts like Spotify, Amazon, eBay and email, which are themselves full of valuable and interesting data.

A vulnerability that could be abused to attack smart speakers could be found tomorrow, in five years, or never. Only time will tell. The more smart devices that are used, the higher the risk of a vulnerability being found, as cybercriminals will increasingly have a larger, and therefore more valuable, target pool. Instead of waiting for the day to come when hackers remotely access smart speakers or when someone close to them attempts to use them to snoop on private individuals, users of smart speakers need to become more conscious of the information they are feeding their smart speakers and consider what someone could do if they got their hands on this information.

Awareness around the security risks of smart devices, including smart speakers, needs to be raised. Users should be paying special attention when choosing to use the default settings their smart speakers come with, and when deciding how they want to use their smart speakers. Smart speaker and IoT device security, in general, should be opt-out instead of weakened to make users — and therefore cybercriminals’ — lives more convenient.

AVAST Archives

Martin Hron is a Security Researcher at Avast.

 Avast is one of the largest security companies in the world using next-gen technologies to fight cyber attacks in real time. We differ from other next-gen companies in that we have an immense cloud-based machine learning engine that receives a constant stream of data from our hundreds of millions of users, which facilitates learning at unprecedented speeds and makes our artificial intelligence engine smarter and faster than anyone else’s.