Voice assistants and cybersecurity: is it already too late?

Back to Press Archive

Voice assistants are more popular than ever and are supposed to make our lives easier, not spy on us. And yet, the possibility of hacking is a stark reality. Here’s why.

Over 56 million voice assistant products will be sold in 2018, according to a report by Canalys. With smart docks like the Apple HomePod, Google Home, and Amazon Echo for example, Siri, Google Assistant, Alexa, and Cortana are set to become as omnipresent in our homes as they are on our smartphones. They’re a great tool for making our lives easier and saving time, but they also pose a risk in terms of information security, considering the hyperconnective nature of these objects and the poor levels of protection on offer.

In an article on the Motherboard website, Israeli researchers Tal Be’ery and Amichai Shulman, both cybersecurity specialists, made the following unsettling conclusion: “We still have a bad habit of introducing new interfaces in machines without fully analysing the implications for security.

From subvertising to ultrasonic intrusion

Recent news has proven them right, with revelations of security vulnerabilities and voice assistant hacking.

In April 2017, Burger King added to the debate with an ad just under 15 seconds long. In the ad, all an employee at the fast-food chain had to say was: “OK Google, what’s a Whopper?” This activated the voice assistants of viewers, giving the Wikipedia description of the famous burger.

For some, it was a stroke of advertising genius, for others, a clear example of the risks posed by voice assistants. Tal Be’ery and Amichai Shulman also demonstrated that hacks could be a lot more sinister. The researchers found a way to bypass the password screen on a Windows computer by using Cortana, the Windows 10 virtual assistant. How did they do it? By taking advantage of the fact that this assistant is never ‘off’, meaning that it responds to certain voice commands even when devices are locked.

A similar, more insidious example of this came when Chinese researchers developed a technique called DolphinAttack, involving ultrasonic commands inaudible to humans that can be picked up by a computer microphone. Most voice assistants can be activated remotely.

Another vulnerability that left a bad taste in Apple’s mouth: the confidentiality function can be hacked to hide the content of messages appearing on the lock screen of its devices. This effectively turns Siri (Apple’s proprietary voice assistant) into a Trojan horse. Brazilian website Mac Magazine also revealed that anyone could access these hidden messages by asking Siri to read them out loud.

Raising awareness and encryption are the only immediate countermeasures available

By their nature, voice assistants are always on. This means that the microphones on these voice assistants, particularly through connected docks, pose real confidentiality problems,” confirms Paul Fariello, Technical Leader at Stormshield. He goes on to soften the blow: “But the risk is low when you consider that other more traditional techniques like ransomware and phishing are much easier for cybercriminals to use. Encrypting sensitive data to prevent use in the case of theft reduces the risk.

Today, developers are content to proceed with corrections on a case-by-case basis, “technological countermeasures for this type of problem haven’t been created yet. All you can do is raise awareness amongst users, which has its limits,” he adds. It is still not possible to implement additional security solutions in connected objects or smart docks due to the closed design of these devices. Faced with the endless imaginations of hackers, the best option appears to be Security by Design, which puts the responsibility on developers. Following on from fingerprints, could vocal fingerprints be the new biometric password to authenticate who’s allowed to access vocal assistants?


Stormshield

A European leader in digital infrastructure security and a wholly-owned subsidiary of Airbus CyberSecurity, we offer smart, connected solutions in order to anticipate attacks and protect digital infrastructures. Our mission: to ensure the cybersecurity and data protection of organizations, their employees, and their customers. Our expertise is available in three complementary product ranges for seamless security: Protection for industrial and IT networks (Stormshield Network Security), protection for servers and workstations (Stormshield Endpoint Security) protection for data (Stormshield Data Security). As per our Multi-Layer Collaborative Security approach, our product ranges interact with one another to raise the security level of IT, OT, and Cloud environments, regardless of the attack point.
These trusted, cutting-edge solutions are certified at the highest level in Europe (EU RESTRICTED, NATO, ANSSI EAL3+/EAL4+). Present in over 40 countries via our network of distributor partners, we ensure the protection of strategic information for companies of all sizes, public administrations, and defense agencies throughout the world.

Share this post

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Back to Press Archive