In the timeless film “2001: A Space Odyssey,” the main protagonist is the HAL 9000, which stands for the Heuristically programmed ALgorithmic computer, an advanced form of artificial intelligence that controls all systems aboard the Discovery One spacecraft including the mission of the ship’s space crew. However, somewhere along the mission route to Jupiter, the HAL 9000 begins to malfunction with seemingly psychotic behavior that ultimately threatens the mission and the lives of all astronauts onboard. The HAL 9000 is finally disabled by the surviving crewman and as HAL’s consciousness slips away, unfortunately so does the mission.
The HAL 9000 is the stuff of science fiction. Or so we thought. Recently, a team of Israeli cybersecurity researchers tapped into a hidden application related to the voice activation assistant on Amazon’s Echo device allowing hackers to eavesdrop on its users. The researchers manipulated the ‘ShouldEndSession’ query code so it remained open even when the user assumed it was closed.
The research hackers were not only able to physically eavesdrop on unsuspecting users but were also able to transcribe all spoken words aimed at Alexa, saying that they simply took advantage of a design flaw in the software. Amazon has announced that it has addressed the issue and eliminated any further exploitation threats.
Into the IoT Breach
So is the breach of Amazon’s Echo device the first domino in the IoT chain to fall or was it no more than an overstated techno stunt that has few real-world ramifications?
Chris Veltsos, a professor in the Department of Computer Information Science at Minnesota State University, Mankato, where he regularly teaches Information Security and Information Warfare classes, feels that the Amazon Echo attack was more of a penetration testing warning for the general public than a doomsday event.
“IoT and ‘smart devices’ are becoming ubiquitous, but a majority of consumers ignore the potential breaches of privacy that can happen when devices that are equipped with microphones and/or cameras start spying on us. However, the recent discovery of a way to trick Amazon’s Echo into listening continuously and transcribe entire sentences isn’t your typical piece of malware — at least not yet,” Veltsos says. “Security pros call this a ‘proof of concept,’ which basically answers the question is this possible?’”
One cyber expert takes a buyer beware stance, stating that when you purchase technology and sign an End User License Agreement (EULA) that you are assuming all potential consequences.
“When you place a voice-activated assistant into your home you should assume that you are being recorded 24 hours a day and all of your conversations are available to those with the technical skills to be able to extract it. This is not unique to Amazon Echo devices and has been an issue with most smart televisions and even the Apple TV. For most citizens who sign away their lives when they accept an EULA not knowing exactly what data is going to be collected, they are giving up privacy for a better customer experience and making themselves, their family and anyone they invite into their home a real-world reality show just like the Kardashian’s.” chides Joseph Carson, chief security scientist at Thycotic, a Washington D.C.-based provider of privileged account management (PAM) solutions.
He adds that the pending General Data Protection Regulation (GDPR) proposed by the European Commission will strengthen and unify data protection for individuals within the European Union (EU), stressing that it will hold Amazon or other app developers responsible for the abuse and theft of personal information.
“This has real-world consequences that could be used for fraud, ransom demands or used as evidence in prosecutions. Can you plead the Fifth Amendment if your Amazon Echo was present or should you consider making Alexa your attorney so you can have client/attorney privileges,” Carson says.
As the Universe Expands, So Do the Threats
While some in the cybersecurity world like Yotam Gutman with SecuriThings is not surprised that we are now finding more “glitches and vulnerabilities” in command devices like those from Google and Amazon, he doesn’t think this particular case will trigger any chain reaction in IoT adoption. The fact that IoT is a wide field and connected-home appliances are only a segment of it shouldn’t tarnish the big picture.
“People buying such devices are (or should be) aware of the potential risk to their privacy. The bigger issue is with devices that are not under the consumer’s control but record our movements and actions without us realizing it, like CCTV cameras in public spaces or video conferencing equipment at work. Since we’re not aware that these devices might be recording us, we are much more susceptible, and the potential damage to our privacy could be much greater,” contends Gutman.
Chris Morales, head of security analytics at Vectra, a San Jose, a California-based provider of automated threat management solutions adds that his first reaction was “not again.” But he figures that every new internet connected device introduced into the techno food chain increases the risk of compromising personal privacy.
“This is not a parlor trick, but at this point, it is patched. This hack would have also required the installation of a third party app, which is the same way attackers exploit mobile devices. I think it is more of a demonstration of the risks associated with these kinds of devices (personal voice assistants),” Morales says.
While the Amazon Echo incident may have been more related to a flawed application than an actual malicious breach, cybersecurity professionals are seeing software vulnerabilities in myriad devices ranging from video surveillance cameras to smart televisions. It begs the question: does the inherent risk of penetration, loss of critical data and potential loss of privacy increase as more devices are associated with the IoT?
“The risk is very real, and with the proliferation of ‘smart’ things, it is becoming increasingly difficult to fully grasp the amount of technology that comes built-in into everyday objects. Try buying a new TV that doesn’t have a built-in camera, microphone, and of course, built-in Wi-Fi,” Veltsos says. “Who’s supposed to be testing and maintaining updates for all of this technology again? How would the average person even know technology XYZ is deployed in the latest gadget they just bought?”
Security? What Security!
Paul Bischoff, a privacy advocate at Comparitech.com laments that some manufacturers don’t take security seriously and leave consumers vulnerable and unaware of risks to their networks and organizational data.
“Unfortunately, IoT manufacturers often don't take a security-first approach when designing devices. IoT security is often slapped on as an afterthought and, in many cases, not added at all. It's especially difficult for the user to know if a device is communicating securely (using end-to-end encryption) and whether the device is sending data to the intended recipient (certificate check). Unlike our web browsers, there's no green padlock to make sure the connection between an IoT device and the internet is safe,” Bischoff says.
He continues that Google Home and Echo are really not that much of a security threat to its users.
“As far as Google Home and Echo are concerned, however, this is not much of a threat. We know to a reasonable degree of certainty that those devices encrypt all communications end to end and that they only upload data to their respective companies' servers. Instead, the threat with Home and Echo are not that the devices themselves are unsafe, but that developers making apps for those devices have too much access to users' personal info and voice recordings,” Bischoff adds.
According to Morales, “We are surrounded by cameras and microphones able to eavesdrop on our every move, from our laptops, phones, smart wearables, home appliances, and even our kids’ toys. Home assistants are just another device in a long list. The problem is systemic, and as long as we crave convenience and manufacturers go unchecked in developing smart devices, we will always be at risk.”
About the Author: Steve Lasky is the Editorial Director of SouthComm Security Media, which includes print publications Security Technology Executive, Security Dealer & Integrator, Locksmith Ledger Int’l and the world’s most trafficked security web portal SecurityInfoWatch.com. He is a 30-year veteran of the security industry and a 27-year member of ASIS.