Thursday, December 12, 2019

If you allow "smart" devices to listen to you non-stop, you're crazy


Yet again, we've been reminded that all these "smart" devices like Amazon's Echo, Apple's Homepod, and Google Home are a security threat to our privacy, and potentially even worse.

... a quarter of Americans have bought “smart speaker” devices such as the Echo, Google Home, and Apple HomePod. (A relative few have even bought Facebook’s Portal, an adjacent smart video screen.) Amazon is winning the sales battle so far, reporting that more than 100 million Alexa devices have been purchased. But now a war is playing out between the world’s biggest companies to weave Alexa, Apple’s Siri, Alphabet’s Google Assistant, Microsoft’s Cortana, and Facebook’s equivalent service much deeper into people’s lives. Mics are built into phones, smartwatches, TVs, fridges, SUVs, and everything in between. Consulting firm Juniper Research Ltd. estimates that by 2023 the global annual market for smart speakers will reach $11 billion, and there will be about 7.4 billion voice-controlled devices in the wild. That’s about one for every person on Earth.

. . .

“Having microphones that listen all the time is concerning. We’ve found that users of these devices close their eyes and trust that companies are not going to do anything bad with their recorded data,” says Florian Schaub, a University of Michigan professor who studies human behavior around voice-command software. “There’s this creeping erosion of privacy that just keeps going and going. People don’t know how to protect themselves.”

. . .

In 2015, the same year Apple Chief Executive Officer Tim Cook called privacy a “fundamental human right,” Apple’s machines were processing more than a billion requests a week. By then, users could turn on a feature so they no longer had to push a button on the iPhone to activate the voice assistant; it was always listening. Deep in its user agreement legalese, Apple said voice data might be recorded and analyzed to improve Siri, but nowhere did it mention that fellow humans might listen. “I felt extremely uncomfortable overhearing people,” says one of the former contractors, especially given how often the recordings were of children.

Ten former Apple executives in the Siri division say they didn’t and still don’t see this system as a violation of privacy.

. . .

The fine print grants Amazon the right to retain and experiment on its voice clips far beyond what Apple does with Siri. By default, the company retains recordings indefinitely.

. . .

This August, Microsoft acknowledged that humans help review voice data generated through its speech-recognition technology—in products including its Cortana assistant and Skype messaging app—which businesses such as BMW, HP Inc., and Humana are integrating into their own products and services. Chinese tech companies including marketplace Alibaba, search giant Baidu, and phone maker Xiaomi are churning out millions of smart speakers each quarter. Industry analysts say Google and Facebook Inc. are likewise betting audio data will greatly enhance their mammoth ad businesses. Internet browsing tells these companies a tremendous amount about people, but audio recordings could make it much easier for AI to approximate ages, genders, emotions, and even locations and interests, says Schaub, the University of Michigan professor. “People often don’t realize what their voice commands reveal,” he says. “If you’re asking about football a lot, you’re likely an NFL fan. If a baby is crying in the background, they can infer you have a family.”

Google Assistant feeds its namesake search engine with queries from a billion devices it’s available on, including Android smartphones and tablets, Nest thermostats, and Sony TVs ... this summer a Google contractor shared more than 1,000 user recordings with Belgian broadcaster VRT NWS. The outlet was able to figure out who some of the people in the recordings were based on things they said, to the shock of those identified. Roughly 10% of the leaked clips were also recorded without these users’ consent, because of devices erroneously detecting the activation phrase “OK, Google.”

There's more at the link.  It's a long article, but well worth your time to read in full.  These companies simply don't care about your privacy, as long as you've clicked on the "I agree" button in their terms of service.  Once you've done that, they're off the hook, no longer responsible for how your data may be misused or abused - and that's their deliberate policy.

I'm astonished at the number of people who just brush off concerns about their private conversations and activities being recorded.  There are all sorts of dangers, and not only to our privacy.  Consider:
  • What if you'd been on one of those "more than 1,000 user recordings" shared with a news station?  How would you like it if a journalist called you to verify that this purchase, or that conversation, or an intimate activity like sex, was, in fact, a recording of you?
  • These companies retain the recordings almost indefinitely - yet almost every day, we see news reports of reputable companies being hacked, and their data stolen.  What happens if intimate recordings of your activities are hacked, and contain enough information to identify you, as in the case above?  Think how much a hacker can extort from you by demanding money in exchange for not posting the recordings on the Internet.
  • Any smart device is also a gateway to everything in your home connected to the Internet.  A "smart speaker" is no exception - and many of them contain video now, not just audio.  Just yesterday, it was reported that a hacker had accessed a Ring video camera and speaker in a little girl's bedroom.  Go read that report - it's spine-chilling.  What if that were your daughter?  Would you want nude images of your 8-year-old, undressing for bed or getting dressed in the morning, spread all over child pornography or pedophilia Web sites?
  • If hackers can penetrate your home wi-fi system through a smart device, they can access all traffic on that network - including your browser activities.  Do you want them to be able to read your payment information when you make a purchase?  A simple Internet search reveals the scale of the problem, and the number of companies trying to make money by offering you security "solutions".

I say again what I said in the title of this piece.  If you allow such "smart" devices to listen to you non-stop, you're crazy!  I won't have one in my home, and I prefer not to spend much time in homes that are equipped with them.  In the latter case, I also won't use their wi-fi, and I'll be very careful what I say and do.

It's not Big Brother watching me that worries me so much as all the sleazebags and low-lifes who make money and/or entertain themselves by doing so.  Go read that little girl's experiences again, and note that it's hardly the first time something like that has been reportedThese devices simply aren't trustworthy from a security perspective.

Peter

14 comments:

Eric Wilner said...

Yeah... I was looking at video doorbells for the new house, but the ones on the market all require communication with the vendor's server - they can't be manually configured to use the buyer's private server instead. So, nope, for multiple reasons. I'll probably build my own, once we're moved in; WiFi camera module dev kits are cheap and plentiful.
My policy for several years now has been that, if I must have a store-boughten Internet Thing on my network, it'll be on a restricted net with no (or carefully controlled) access to the network at large. When I set up networking at the new place, it'll include VLANs and managed Ethernet switches to provide control over access and traffic for various classes of devices (trusted equipment, guests, wired (exterior) video cameras, WiFi Things, and so on).
And, of course: anything indoors with a working microphone or camera? If I don't control the software, it doesn't get a network connection, except on a temporary basis. Our "smart TV" will consist of a small-form-factor Linux box and a projector, as it did at the old place until the projector finally died. Alexa is right out.

Divemedic said...

If you own a cell phone, smart TV, or laptop, they still listen. Don't think that just because you don't own a home assistant that no one can listen.

Zan Lynx said...

Not to minimize the dangers, which are real, but I wanted to quibble about accessing traffic on the WiFi network.

Yes, any connected device can read the rest of the WiFi traffic, unless you're using more security features than most people do.

But reading network traffic does not reveal your payment information. That is always encrypted using TLS between the web browser and the web server.

I've used my laptop on the WiFi at DefCon (with read-only virtual machines and such in order to be careful). None of my login information was ever intercepted, because it was encrypted. Even though DefCon is a hacker conference and they make a game out of hacking everything.

Pay attention to any errors you might get about security certificates though. Take them seriously. Yes, someone evil might try to fool your computer into connecting to a fake Amazon page, and if you were to override the security error, then you really would be giving your payment information to hackers.

Old NFO said...

Don't have any of them, never will. My home is 'still' my castle, humble and manual though it may be... Although I do wonder about the microwave sometimes...

Zan Lynx said...

I don't have any smart devices hooked up either. I have a smart phone and I do wonder about it sometimes.

I like what these IoT devices can do. I envy a friend's setup with Alexa and his house lighting. Being able to use voice commands to turn off lights at night and to have them come on automatically when you open the garage door is super useful.

But in order to secure these IoT things takes a lot of work. My friend is a network security administrator and he's got enterprise level WiFi hardware, managed Ethernet switches and firewalls and routers. He partly uses so many IoT devices just to experiment with them and try them out.

I just don't want to bother with all of the necessary security work myself.

Sherm said...

https://www.instructables.com/id/Disable-Alexa-Microphone-on-Amazon-Fire-Stick-TV-R/

Orvan Taurus said...

I'd LOVE to have Digital Assistant... but one whose server *I* own, and it is local (worst case, I can smash it with a sledge!). If I can train it on my own idea of language, so much the better. Whether Latin (for magic-ish effect) or Moo (let some ratfink figure THAT one out!), or some bizarre combination of English, German, Norskie, Latin, Moo, whatever... heheheh..

Jeff B said...

"If hackers can penetrate your home wi-fi system through a smart device, they can access all traffic on that network - including your browser activities."

Well, that's not entirely accurate. But if you are concerned about that, put the Smart Speaker in a DMZ/isolated subnet that is different from all of your computers.



Rob said...

If you have a smart phone it's listening too....

Keith_Indy said...

My fiance wants an Amazon Echo, or some such.

me: it's always listening...
fiance: no, you have to say "Alexa" before it wakes up
me: so how does it hear that?

So frustrating...

Rick T said...

I have a few 'smart' devices but they can only see the Internet (and each other). They have no access to my PCs (or their traffic), storage systems, etc.

It isn't hard to do: Add a personal wireless router behind your ISP's device. Leave all the questionable gear out on that network and keep all your personal behind the 2nd router. I've turned off all external management to my box and patch it when needed. My ISP sees that one router port and none of the devices behind it.

Still, I won't have any smart speakers, Ring devices, or Smart TVs in the house. Nothing with a microphone or camera.

Larry said...

Don't underestimate new refrigerators, nor decepticons toasters.

Larry said...

Toaster laughed

Sanders said...

"Hey Siri!"

"Yes?"

"Are you spying on me?"

"No"