Personal voice assistants have proven to be a great technological innovation that improves lives daily. With 4.2 billion of these devices in use in 2020, they are no longer just a novelty, and, with workers staying home for the foreseeable future, voice assistants could pose a sizeable security risk.
Voice assistants are mostly known as standalone speakers that people talk to in order to execute simple tasks like accessing a search engine. They were initially born on smartphones and are now even directly integrated into computers, making them an item on most cyber security professionals’ list, whether or not their company is working from home.
With all these different environments voice assistants are being used in, it’s crucial to stay up to date on their various vulnerabilities and put a detailed plan surrounding their use in a remote workplace or communal office space.
The general risks of voice assistants
Voice assistants are loved for their simplicity and ease of use, but it’s important to remember they’re tied to the rest of your technology ecosystem. What makes these devices tricky in terms of cyber security is that they often have access to a variety of accounts and passwords.
A recent study by PwC found that 43% of respondents use their personal voice assistants to send a text or email at least every month. It’s clear that people are trusting their voice assistants with increasingly private information.
While most voice assistants on the market have a certain level of security in place natively, they’re often used to control cheap smart devices that might not. There have already been several recorded instances of data breaches that originated from low-quality smart bulbs and, ironically, smart locks.
Another issue is the potential for eavesdropping, and that might happen even without malicious action. Almost all the makers of the major voice assistants have been caught in some form of a scandal involving the management of their devices’ recordings.
Since voice assistants need to always be “listening” to be useful, there is a high potential for private or work conversations to be overheard since these devices often record voice to better recognize future queries.
That might not be a big issue if the recording went nowhere, but Apple has infamously hired 3rd party companies to review the contents of Siri’s recordings. Amazon also mistakenly sent 1700 voice files containing personal information to the wrong user in Germany in 2018.
Perhaps a more unlikely but still terrifying possibility is what is being called a Dolphin Attack. Researchers have proved that they could have voice assistants make calls and control other devices by embedding sounds that get picked up by voice assistants’ sensors while being inaudible to the human ear.
A deeper dive into each voice assistant
While Amazon’s Alexa and Google Assistant have the lion’s share of the market with 37% and 30% respectively, there are a lot of similarities between all the voice assistants on the market. Still, it’s important to familiarize yourself with all of them individually in order to understand how they interact with the rest of your cyber security ecosystem.
Initially only available on Google’s Pixel line of phones, Google Assistant is now integrated into a variety of smart speakers and other devices like televisions. Android users love this feature since it easily connects with the rest of their devices.
The main issue with Google Assistant is that its AI is very advanced and can search in a user’s emails and documents for potential query results. This makes the data breach potential very obvious, but thankfully you can narrow down the types of searchable content in the settings.
Apple devices are very tightly connected to one another, so a smart speaker like a HomePod being affected means Apple computers and phones in that network become instantly vulnerable.
The main risk is that Siri has access to a user’s Apple ID, meaning name, phone, date of birth, passwords and even credit cards. Thankfully, Apple is very protective of its ecosystem and only allows a very select list of devices and apps to interact with their voice assistant.
Microsoft’s voice assistant, Cortana, is only available on Windows computers. Because of its ease of integration within a Microsoft ecosystem, Cortana-enabled devices offer consumers a wide range of cyber security options. However, with an increasing number of cyber attacks targeting Microsoft users, it’s important to remain vigilant when utilizing Cortana’s features.
Cortana also has the most robust settings out of all the voice assistants and can be personalized to only be available in certain applications and limit the types of content it can search.
Amazon’s voice assistant arrived on the scene a bit later but quickly became the most well-known. While Amazon has a variety of proprietary Alexa devices, they’ve aggressively licensed their voice assistant, and Alexa is available on a dizzying number of devices, some of which you might not suspect at first.
The main danger with Alexa is that it has access to a user’s purchase history and credit card information. It can also purchase items on behalf of the user and could potentially be used to steal packages.
Tips to properly secure your voice assistant
Voice assistants have become a more significant issue since many workers aren’t in offices anymore. But with many companies switching to a more flexible work schedule, they’re very likely to remain an item on your list.
Here are a few tips to remain a step ahead of voice assistant vulnerabilities:
Only use trusted third-party apps
Voice assistants are a major trend right now, and there are thousands of apps that can interact with them. Try to keep these to a minimum. Ideally use only the apps required to run other smart devices like smart bulbs and the device manufacturer’s base apps.
If you do use other 3rd party apps, make sure they’re from reputable publishers. The same tip is true for smart devices, only purchase from well-known brands as they’re less likely to cheap out on security measures.
Don’t link sensitive accounts or credit cards to your assistant
Voice assistants are more useful when they have access to your email and other accounts, but they can still be very powerful without and much more secure when used that way.
As for credit cards, it’s just better and safer to order from your computer. Never give purchasing access to your voice assistant.
Mute or turn off your voice assistant after use
While it’s more fun to simply chat to your voice assistant whenever you want, it’s way less secure used that way. Turning off or muting your assistant when you’re not using it sidesteps many potential security flaws in these devices and helps avoid a scenario where they might activate at an inopportune time, like while you are on a business call.
Use WPA2 encryption on your Wi-Fi
This best practice is something you should do whether or not you have a voice assistant. All voice assistants operate over Wi-Fi, and strong encryption protection over your network is by far the best defense for these devices.
The recent move to working from home has brought more attention to personal voice assistants. Still, it’s a device that could remain in your life, even after employees return to the office.
Gartner predicted in a recent report that 25% of digital workers would use a personal voice assistant daily by 2021. Besides their convenience in the home, there seems to be a real push to test them in the office. With Microsoft working to integrate Cortana in their popular Office suite, now might be the right timing to place a policy surrounding these devices.
Get your complimentary resources for security awareness