IoT Security

Keeping Alexa out of the boardroom (and the bedroom office): IoT security tips for remote employees

Susan Morrow
April 20, 2020 by
Susan Morrow

Introduction 

I can’t help myself. I find myself liking Alexa. She/he/it isn’t exactly a friend, but I can play music and find out the weather and do all sorts of things. I tell myself that Alexa is useful for work too: for research, interesting product design features for identity services and more. 

Voice-enabled services are playing a greater part in our lives, especially now that many of us work from home during the COVID-19 pandemic. But when we make those work calls or do Zoom conferences, can we depend on Alexa to be respectful of our privacy?

Learn IoT Security

Learn IoT Security

Learn how ethical hackers exploit the growing number of internet-connected devices and become a Certified IoT Security Practitioner.

As workers across the globe move to remote working because of the pandemic, Alexa is our home office stalwart, beside us through our stay-at-home vigil. And as the pandemic eases, we may find that we continue to work from home more often. Remote working is a model of choice for many; a poll on attitudes towards remote working found 99% of us want to work remotely at least part-time. 

However, Alexa and similar digital assistants have been under scrutiny by the privacy and security community, and many security and privacy concerns are being aired about Amazon Alexa. Is Alexa safe to use in a home office? Should we view a seemingly innocent digital assistant as dangerous?

In this article, I look at the “Alexa is bad” claim and ask this question: should organizations be concerned about protecting sensitive information under Alexa’s watchful eye? What are the concerns around security and privacy, and should we just switch Alexa off while working from home?

Potential IoT security concerns

Amazon sold 146.9 million Alexas in 2019. Many of them are now sitting next to remote workers as they carry out their business, go on conference calls, talk to colleagues by phone, send out company emails and perform other official duties, many of which involve company data. 

But as you work, consider how your little plastic friend Alexa may be smarter than you think. Here are some examples of Alexa privacy and Alexa security issues that may make you reach for the off switch.

Alexa trouble: Case 1

Back in 2018, when GDPR came into force, a privacy request was made by an individual for copies of the personal data that Amazon held on him. It is worth noting that at this point, the person did not own an Amazon Alexa; this was simply a request for general Amazon data. He was sent a number of files, including .wav files. They turned out to be voice recordings and other data of another Alexa user.

Alexa trouble: Case 2

Vulnerabilities are common in just about everything digital. When those vulnerabilities can result in leaked company data, an organization needs to know about it. 

Security Research Labs (SRLabs) found vulnerabilities in Amazon Alexa (and Google Home) that opened the door to eavesdropping (vishing). The vulnerability allowed SRLabs researchers to use Alexa Skills (or Google Action) to create an “eavesdropping” skill. The group describes on their site how to do this, using the “intent” function in a skill to manipulate Alexa. 

Using this flaw, the researchers could steal data, including passwords, and listen in on conversations after the user had used the “stop” command. SRLabs shared the vulnerabilities with Amazon who are working to fix them.

Alexa trouble: Case 3

A woman in the U.S. asked Amazon to investigate a claim she made that Alexa had recorded private conversations between herself and her husband. The recordings were then sent to a random person in her contact list, without her knowledge. The likely scenario that caused this privacy violation was that a word that sounded like the “Alexa” wake-up word was used during the conversation. It is likely that the conversation also mentioned the contact that the files were then sent to.

Many of the issues around Alexa privacy/security involve the use of voice capture and recordings used to allow Alexa to function optimally. The more data collected, the more accurate the functionality of Alexa should become. Certain keywords, such as the Alexa “wake up” command, are behind many of the vulnerabilities. 

Below, we look at ways you can mitigate many of the more intrusive privacy aspects of working with Alexa in your home.

10 actionable tips for remote workers to ensure company data is secure (even if Alexa is around)

A digital assistant, while useful on an individual level, makes things more complicated and potentially adds security issues in a work context. As we have seen from our example cases of Alexa going rogue, data can be exposed through the device. If this data is confidential business communications, this could have dire consequences. 

Business data comes under much scrutiny. Data protection laws, customer trust issues and protection of company Intellectual Property (IP) all require additional considerations and layers of protection. 

The question is, with many of us working from home, can we make Amazon Alexa safe to use in remote working scenarios? Can we ensure these additional layers to protect business data are robust? And in doing so, can we ensure that our company’s confidential data is safe?

Here are 10 tips for using Alexa safely whilst working remotely:

  1. Start at the very beginning: Make sure your Wi-Fi is secure. Practice good Wi-Fi hygiene: If you share a household, use a private network, if possible; change a default router and Wi-Fi password; keep firmware patched and up to date.
  2. Double-checking Alexa: Alexa is associated with an Amazon account. Switch on Amazon’s two-factor authentication (2FA) to add an additional security layer to that account.
  3. Be watchful: Keep an eye on your Amazon Alexa and understand how the device responds when it is recording. If in doubt, unplug Alexa from the electricity supply while you are on a sensitive call.
  4. Know your Alexa: Amazon is attempting to improve Alexa’s privacy. They have added new commands such as "Alexa, tell me what you heard.” Keep up to date with any new privacy or security features by reading the Amazon blog.
  5. Delete Alexa recordings: Delete any voice recordings as you go. Amazon has a Privacy Hub which allows you to delete voice recordings.
  6. Change “Alexa”: Change the default “Alexa” wake-up word to another one of the options (there is currently a limited choice). Keep checking the Amazon Alexa blog to see if the limit is removed. If/when it is, use a custom wake-up word.
  7. Shut up Alexa: Alexa has to run a record buffer that listens for the wake word to give it time to verify the word; 500 milliseconds of pre-roll to be exact. When on calls, mute Alexa by using the microphone “off” button. If your Alexa has a camera, switch that off during conference calls and make sure it isn’t placed in a position to watch you work on your computer.
  8. Don’t call through Alexa: You can use Alexa to make calls, even video calls if you have the camera version. Consider blocking or disabling your contacts from your smartphone to avoid any mishaps. You might want to prevent voice or video calls altogether, as the calls create voice files that will ultimately be shared via a cloud server and increasing the overall attack surface.
  9. Throw the book at Alexa: Have an “Alexa at work” policy. Make sure that you make staff aware of the privacy and security pitfalls of Alexa when working from home. Add digital assistants and home IoT devices as a section in your company security policy.
  10. Last but not least: If you decide to sell your Alexa, make sure that you have deleted all of your old files and deregister the device with Amazon.


As we move into an era where home working (even post-COVID-19) may well become more normalized, we must ensure that our security measures reach out into the home of workers. 

In this current climate, where cybercriminals are actively looking for opportunities, we need to be extra-vigilant. This vigilance extends to our remote workers. By making our staff aware of the security and privacy implications of using Alexa, we can also help mitigate leaks, both accidental and malicious, via the device.

Learn IoT Security

Learn IoT Security

Learn how ethical hackers exploit the growing number of internet-connected devices and become a Certified IoT Security Practitioner.

 

Sources

  1. State Of Remote Work, Buffer
  2. Strategy Analytics: Google and Amazon ceded smart speaker market share to Chinese rivals in 2019, VentureBeat
  3. Alexa, Who Has Access to My Data?, heise.de
  4. Smart Spies: Alexa and Google Home expose users to vishing and eavesdropping, Security Research Labs
  5. Woman says her Amazon device recorded private conversation, sent it out to random contact, KIRO 7
  6. Amazon Devices Event – September 2019, Amazon Blog
  7. Alexa Privacy, Amazon
  8. Enable Cloud-Based Wake Word Verification, developer.amazon.com
Susan Morrow
Susan Morrow

Susan Morrow is a cybersecurity and digital identity expert with over 20 years of experience. Before moving into the tech sector, she was an analytical chemist working in environmental and pharmaceutical analysis. Currently, Susan is Head of R&D at UK-based Avoco Secure.

Susan’s expertise includes usability, accessibility and data privacy within a consumer digital transaction context. She was named a 2020 Most Influential Women in UK Tech by Computer Weekly and shortlisted by WeAreTechWomen as a Top 100 Women in Tech. Susan is on the advisory board of Surfshark and Think Digital Partners, and regularly writes on identity and security for CSO Online and Infosec Resources. Her mantra is to ensure human beings control technology, not the other way around.