Amazon Echo And Google Home Security Pitfalls And Best Practices To Protect Your Privacy
The smart home speaker market is red hot, with Amazon and Google leading the way with their respective Echo and Google Home products. And with Black Friday and Cyber Monday in view, there will be a lot more smart speakers find their way into homes this week, and through the holiday season. As with all Internet of Things (IoT) devices, it's important to keep security in mind, and Symantec has some tips on that very topic.
"While they make life easier in some ways, could voice-activated smart speakers also be endangering people’s privacy and online security? The range of activities that can be carried out by these speakers means that a hacker, or even just a mischief-minded friend or neighbor, could cause havoc if they gained access," Symantec warns.
According to Symantec, Amazon's Alexa-powered Echo family accounts for 73 percent of the smart home speaker market, with more than 20 million devices in the US alone. Google is second, and pretty much accounts for the rest of the market, leaving all other contenders to compete for bread crumbs. That could change next month when Apple launches its HomePod, but for now, Amazon and Google rule the roost.
The first thing to do is to make sure your smart speaker is running the latest update, which should already be the case since they feature persistent Internet connections. Even still, it's important to double check—Google's Home Mini speaker was recently discovered to be recording even when no wake-word or phrase was spoken. It was an issue with the activation button registering phantom touches, and Google rolled out an update to address the problem.
In addition, Symantec recommends protecting your linked account with a strong password and two-factor authentication (2FA) where possible. That's a good security tip in general, but even more important with smart speakers, since anyone with access to your account can listen in remotely.
Owners of an Amazon Echo product should also add a four-digit PIN code to prevent unauthorized purchases using voice commands, or disable the feature altogether. By default, users can buy products on Amazon through Alexa, and there have been some reports of children ordering toys without their parents' knowledge. This option is turned on by default.
"Someone with unsupervised physical access to your smart speaker could potentially modify the device or its settings to their benefit, but that’s true of most IoT devices. Just as important is to secure the home Wi-Fi network and all other devices connected to it," Symantec says.
With that in mind, users who are concerned about security should avoid connecting certain functions to smart speakers, such as opening door locks. Otherwise, a burglar with strong vocal chords could instruct a smart speaker to "open the front door" or "disable video recordings now."
Here are some tips:
"While they make life easier in some ways, could voice-activated smart speakers also be endangering people’s privacy and online security? The range of activities that can be carried out by these speakers means that a hacker, or even just a mischief-minded friend or neighbor, could cause havoc if they gained access," Symantec warns.
According to Symantec, Amazon's Alexa-powered Echo family accounts for 73 percent of the smart home speaker market, with more than 20 million devices in the US alone. Google is second, and pretty much accounts for the rest of the market, leaving all other contenders to compete for bread crumbs. That could change next month when Apple launches its HomePod, but for now, Amazon and Google rule the roost.
The first thing to do is to make sure your smart speaker is running the latest update, which should already be the case since they feature persistent Internet connections. Even still, it's important to double check—Google's Home Mini speaker was recently discovered to be recording even when no wake-word or phrase was spoken. It was an issue with the activation button registering phantom touches, and Google rolled out an update to address the problem.
In addition, Symantec recommends protecting your linked account with a strong password and two-factor authentication (2FA) where possible. That's a good security tip in general, but even more important with smart speakers, since anyone with access to your account can listen in remotely.
Owners of an Amazon Echo product should also add a four-digit PIN code to prevent unauthorized purchases using voice commands, or disable the feature altogether. By default, users can buy products on Amazon through Alexa, and there have been some reports of children ordering toys without their parents' knowledge. This option is turned on by default.
"Someone with unsupervised physical access to your smart speaker could potentially modify the device or its settings to their benefit, but that’s true of most IoT devices. Just as important is to secure the home Wi-Fi network and all other devices connected to it," Symantec says.
With that in mind, users who are concerned about security should avoid connecting certain functions to smart speakers, such as opening door locks. Otherwise, a burglar with strong vocal chords could instruct a smart speaker to "open the front door" or "disable video recordings now."
Here are some tips:
- Be careful about which accounts you connect to your voice assistant. Maybe even create a new account if you do not need to use the calendar or address book.
- For Google Home you can disable “personal results” from showing up.
- Erase sensitive recordings from time to time, although this may degrade the quality of the service as it may hamper the device in “learning” how you speak.
- If you are not using the voice assistant, mute it. Unfortunately, this can be inconvenient as most likely it will be switched off when you actually need it.
- Turn off purchasing if not needed or set a purchase password.
- Pay attention to notification emails, especially ones about new orders for goods or services.
- Protect the service account linked to the device with a strong password and 2FA, where possible.
- Use a WPA2 encrypted Wi-Fi network and not an open hotspot at home.
- Create a guest Wi-Fi network for guests and unsecured IoT devices.
- Where available lock the voice assistant down to your personal voice pattern.
- Disable unused services.
- Don’t use the voice assistant to remember sensitive information such as passwords or credit card numbers.
