I have a 1,001 friends in InfoSec who I hear things like this from on a regular basis:
I’d never put one of those things in MY house! I’m in security! They’re going to find flaws in those things, you wait and see!
Then when something happens, like a private conversation being sent to a random person, they inevitably bring their I Told You So game.
I also read enough to know it could be me that’s wrong about this.
I find the whole thing mostly silly. I think it’s an example of security people being emotional rather than doing actual threat and risk analysis. Dan Kaminsky had this comment on Twitter that captures it humorously.
I understand the Alexa bug well enough to put together a detailed guide to replicating it.— Dan Kaminsky (@dakami) May 26, 2018
One of my friends just commented, dude, it's a butt dial. Alexa reimplemented the butt dial. Sucks, but nobody suggested throwing out phones, because of butts.
He's got a point.
These are consumer scenarios; it’s a whole separate game if you’re putting these things at work and integrating them with backend systems.
So let’s ask the question: what are we actually imagining as threat scenarios here? I’ve gone through them myself and they’ve panned out as absolute garbage. Let’s look at a few of them.
- Amazon is Actually Storing Everything, From Every Echo: Cool, so they’re the evil empire, and also thousands of times more effective than the NSA. They have a team of 1 million people trained to extract juicy things and use them to blackmail you or sell you products. And they send a copy to the government so if you ever do anything bad they can arrest you.
- Not worth the risk to them.
- Too hard to keep secret.
- Too hard to actually execute.
- Someone Finds a Flaw in Echo And Can Listen In to Your Conversations: So there’s some really bad bug where someone can send you an email or text message while you’re at home, and it sends a command to your Echo and turns on recording, and then also sends that recording to the attacker.
My analysis? Sure, that’s bad, but think of how many things have to fail for that to work. First, Amazon is going to guard against this like it’s Ebola in AWS because their entire SmartHome play is based on trust. And for a company that’s literally running the entire internet via AWS, I think they’ll be pretty good at that. Second, the targeted attack has to work. The attacker has to somehow pick you, find a way to reach you, send you the attack, and it has to go through your various defenses. That will definitely work against people, but the odds of it happening to you are really low.
- There’s a Massive Internet-based Bug That Allows Attackers to Listen to Any Smart Speaker Device: Let’s say there’s a vulnerability so bad that all the attacker needs is the user’s Amazon-associated email address, and they can then listen to all Echo’s associated with that account.
My analysis: First, this is 1) not impossible, and 2) really, really bad. But you know how long that vulnerability would exist and be exploited before someone either alerted Amazon or leaked it to someone? Not long. So, could the worst possible thing happen quietly for a period of time, during which you get targeted, and during which time you say something holistically stupid or sensitive that an attacker takes advantage?
Yes, absolutely possible. But unlikely. That window is small, and unless you’re really important, and really prone to saying dumb and/or sensitive things at home, this isn’t likely to happen. And that’s assuming the vulnerability exists that makes it possible.
The internet of poo
To be clear, I don’t think we’re even close to seeing how ridiculous the Internet of Trash (IoT) will be. We’re going to see massive mistakes. Massive misconfigurations. Leaked data. Leaked recordings. All of it. It’s going to happen. Hell, it’s already happened. And it’ll get way worse before things improve. But being hacked by your smart speaker is just not a likely scenario.
Being personally targeted by some sophisticated attacker, who uses a 0-day smart speaker vulnerability to record you and cause you harm—is an emotional fear and little else.
Who is this attacker anyway?
A cybercriminal? A government red-teamer? A random security researcher with a grudge against you?
You need to ask why these people would spend time attacking you, because they damn sure will be asking the same thing. These attacks are expesnive in numerous ways. They take time and effort, and they burn precious exploits. And here’s nothing an attacker hates more than wasting time, effort, and good vulnerabilities on a target that isn’t likely to return anything.
So ask yourself: are you that important? I’m not. And I think I can get a whole lot more important and still not be important enough. Nobody cares, and especially nobody with the skills to use 0-day smart speaker vulnerabilities to hurt you.
Besides, there are far easier ways to hack someone. If I wanted to hack me—or anyone like me—it’d be easy. Not because I don’t have solid defenses—I do—but if you’re targetted by someone skilled, it’s remarkably easy to get in and mess your life up.
If you or me—or almost anyone in infosec—is targeted by someone with even modest offensive security skills, you’re going to lose. And not by a little bit.
You don’t avoid being hacked by professionals by having strong passwords, antivirus, and not owning a smart speaker. You avoid being hacked by being part of the 99.999999% of the planet that attackers don’t care about.
That’s why you shouldn’t worry about people hacking Smart Speakers.
- You’re probably not interesting enough to target, and being uninteresting is actually your best defense.
- If a vulnerability applies to a large number of people, your data will be lost in the noise (see not targeted).
- Any vulnerability that allows a casual attacker to target an individual will be fixed very quickly, and the odds of you having a major negative impact during that tiny window are low.
- If you are both targeted—and it’s by a skilled attacker—you’re going to get hacked through your email and laptop/phone anyway—not through your smart speaker.
So now, take that remaining risk—which absolutely is not zero—and compare it to the advantages offered by products like Echo.
To me, and many other infosec people, that risk is simply worth it because it’s offering something in return.
Not only is the functionality useful sometimes, but I also personally feel that it’s my job to be on the front lines of this battle, which means wading around in The Internet of Trash so that others don’t get as dirty.
We’re the shepherds through this mess, and it’s our job to embrace this beautiful and broken future that’s hurtling towards us.
Hug it, so it can’t stab you (as hard).
- Casual attackers won’t be able to hack you through your smart speaker because it’s non-trivial.
- Professional attackers won’t hack you through your smart speaker because it’s much easier to do so through your email, computer, and phone.
- The risk for most consumers is far lower than the benefits, and the goal of security is not to get risk to zero—it’s to make it low enough to function normally without fear.
- If you’re in security yourself, consider using these devices as part of your duty to help protect and educate the masses.
- If you do decide to use IoT devices like I advocate here, know that there’s a major difference between devices from someone like Amazon, which has billions of dollars to lose and works very hard on security, vs. some no-name vendor from China. Be picky about what you install.
- Also, no matter what vendor it is, put IoT stuff on its own network. Just assume it’s doing something shady and you will never be disappointed. Ok, not never. But less often.