“Alexa, how secure are you?”
Homes across America have turned “smart” thanks, in great part, to the wave of smart home assistants that made their way under the Christmas tree last year. In fact, smart home assistants were among the hottest Christmas gifts, selling millions in their various forms. But as with anything connected to the Internet, there are inherent security risks associated with smart home assistants that every user should be aware of.
Amazon controls the smart home assistant market by a huge margin. Approximately 75% of smart homes feature the Amazon Echo, Echo Spot, Echo Buttons or Echo Dot, and several of their products sold out completely this holiday, spurring Amazon to announce that it was a “record holiday season” for their device sales. More than 20 million people around the world are connecting to Alexa’s voice service, and its app has reached #1 in App Store downloads.
But some people are starting to wonder about the privacy of their homes with home assistants listening in, tracking and storing their search history and conversations. Videos are popping up all over social media with people asking “Alexa, is our conversation private?” Alexa’s usual response is to shut down. So what are the security concerns associated with having a smart home?
According to a recent study by Symantec, the following are the top security concerns for smart home assistant users:
- The biggest threat to the security of your voice-activated smart speaker is the other people who can access it.
- Smart speakers can be accessed by more than just other people. The TV, radio, websites and other smart speakers can also access your device.
- While voice identification is an important feature, devices can still be fooled into responding to other voices and even other wake-up keywords.
- Attackers who gain access to the local network can change your smart speaker settings.
- If the linked email account becomes compromised the device could be used to spy on people.
Symantec cautions that “the range of activities that can be carried out by these speakers means that a hacker, or even just a mischief-minded friend or neighbor, could cause havoc if they gained access.” That havoc could be as simple as a prank – using the Simon Says feature to freak out friends with how much Alexa “knows” – or as serious as making purchases without your knowledge or disabling your smart home security system.
Digital home assistants are always listening. While they require a “wake up” command, accidental triggering is a fairly common issue, and once the assistant has been triggered, it records what is being said and sends it via a secure connection to storage on backend servers. Most assistants allow you to access and listen to recorded content.
And if someone has hacked your digital assistant, it would be relatively easy to trigger the assistant remotely and listen in on your everyday life. If you purchase an assistant with a built-in camera, there’s the added concern of being watched.
So how do you protect your devices and yourself? There are a number of steps you can take to protect your security with smart home assistants.
Change the default username and password immediately.
The first thing a hacker will do when trying to gain access to your system is to attempt to use the username and password that ship with your device. As soon as you get it set up, change the username and password.
Use secure password practices.
To ensure all of your devices remain secure and avoid a single point of failure, each device should have a unique password and they should follow secure password practices. Not sure how to create a good password? Check out our guide to secure password practices.
Update your devices regularly.
Keeping your devices’ firmware updated ensures that you have the latest security patches for any vulnerabilities or exploits that have emerged. In many cases, this process can be automated, but you should always check to ensure your device is current on all security and system updates.
Utilize a separate network connection for your smart home devices.
If you allow guests to connect to your home network, consider utilizing a “guest” network option. This allows your friends and family to access the internet without giving them access to your networked devices. You can also set up a separate network for IoT devices entirely.
Turn off Universal Plug and Play (UPnP).
While Universal Plug and Play makes it easier for you to detect and use devices on your network, it can also help hackers discover and compromise more devices.
Secure or disable the purchasing option.
Last year a little girl asked Alexa to buy her a dollhouse and cookies. Her parents were surprised when they received a delivery of four pounds of sugar cookies and a $170 dollhouse. While this was a relatively harmless use of the purchasing feature, it can be exploited more severely. Echo comes with the purchasing option enabled by default. You can choose to require a four-digit PIN for purchases or turn off the feature all together.
Don’t use public WiFi to access your home network.
You should never send secure passwords or access sensitive data over a public WiFi connection. It’s easy for hackers to compromise these networks and use them to get your sensitive information. If you must access smart home technology remotely, consider using a virtual private network (VPN) to create a secure path to your network.
We love new technology, and anything that lets us actually talk to a computer is a lot of fun. But we also recognize that as smart home technology continues to expand, it’s important to make security a top priority. If you have any questions about your network security or how to protect your devices and privacy, we’d love to have you get in touch with Spud Software. And if you did get a new smart home assistant this year, try out, “Alexa, contact Spud Software,” and let us know how it goes!