I’m one of those baby-boomer technology aficionados who consider himself a minimalist when it comes to personal tech gadgets. Don’t do the do the whiz-bang digital watches that do everything from phone home to check your IQ, and I still haven’t figured out how to program the universal remote my kid got me for Father’s Day back before 74-inch Smart televisions were a must-have item.
Late last fall, my wife and I were across town visiting friends who fancy themselves pretty tech savvy folks. Both are devotees of their recent purchase of the Amazon Echo. You know, that indispensable personal- assistance device housed in a desktop speaker that can tell you knock-knock jokes, recite the Gettysburg Address or provide you the latest Martha Stewart muffin recipe.
Our long-time friends had just sent their son off up north to college and were settling into the life of freshly minted empty-nesters. So after a couple of beverages out on the deck, they proceed with a story of how their far-away freshman had tapped into their Echo and began tormenting them at inopportune moments by throwing his disembodied voice like some sort of Alexa ventriloquist through the various Echo stations about the house. At first, it seemed funny, two weeks later, not so much.
That revelation was enough to solidify my stand that we would not be taking in Alexa as a border in our home. But the potential privacy issues related to the Echo go far beyond a bored son messing with his parents from his college dorm room. This past spring a team of Israeli cybersecurity researchers tapped into a hidden application related to the voice activation assistant on Amazon’s Echo device allowing hackers to eavesdrop on its users. The researchers manipulated the ‘ShouldEndSession’ query code so it remained open even when the user assumed it was closed.
The research hackers were not only able to physically eavesdrop on unsuspecting users but were also able to transcribe all spoken words aimed at Alexa, saying that they simply took advantage of a design flaw in the software. Amazon has since announced that it has addressed the issue and eliminated any further exploitation threats.
So is the breach of Amazon’s Echo device the first domino in the IoT chain to fall or was it no more than an overstated techno stunt that has few real-world ramifications?
I posed this question to a group of salty and experienced cybersecurity professionals known as the #CyberAvengers. This intrepid band of cyber do-gooders includes Paul Ferrillo, Chuck Brooks, Kenneth Holley, George Platsis, George Thomas, Shawn Tuma and Christophe Veltsos. Their first reaction was that this was really no surprise.
“IoT devices, as related to privacy breaches, have been on shaky ground for some time and for good reason. The problem has two streams: one technological, the other, human. The following statement is wide-reaching, but not necessarily inaccurate either: IoT devices, and the systems they rely on to operate, are inherently insecure. Whether it’s insecure code or preprogrammed default passwords and everything else in between, these issues fall into the technological stream of the problem. Here’s the short version: IoT devices rarely are designed with security in mind. In fact, it’s the opposite: get to market as soon as possible and that usually means cutting corners,” say the CyberAvengers.
They insist that the race to get devices to market involves cutting corners. That corner-cutting comes at a cost, but the cost is not so transparent. Saving a few bucks in the R&D phase, in turn, the retail phase could cost the user at the personal level.
“That’s where your privacy issues come in, a human stream problem. So unless the industry adopts a security-by-design mindset – which admittedly is more expensive up front and potentially to the end user in terms of dollars – we will have real-world ramifications and we are experiencing them today. No clowning around here. The issue is real,” the cyber team says.
So guys, is it a toy or must-have tech?
“Some of us enjoy the tech but understand it comes with a cost. Others of us though cringe, not only at the thought of using personal assistant technology but being inadvertently caught up in somebody else’s personal assistant technology,” says the CyberAvengers. “Fully disabling the features is just not good enough for some of us; we want to rid some of our devices of all associated personal assistant technology software. But that’s another market force we are dealing with. Apparently consumers like these “toys for big kids” which is why the technology is nearly ubiquitous on all new devices. But here’s something else we think too: we don’t consider the technology a toy, even if some feel that way.”