Kiuwan logo

Cybersecurity: How Safe are Voice Assistants?

This new age of Artificial Intelligence is fascinating—and terrifying, too. From ubiquitous digital assistants like Siri and Alexa to usage on factory floors, the impact of AI is dizzying.

Your cell phone mostly features a voice assistant. At best, Apple’s Siri may seem like a “naïve” helper who can check weather status, order pizza, or even read a bedtime story. At worst, the chatbot can make your device susceptible to data theft and malicious attacks.

Recently, researchers at Zhejiang University in China revealed that voice assistants are prone to eavesdropping by hackers using inaudible voice commands. With the gigantic leap that voice assistants have made in the tech sphere, we can’t (and must not!) cancel out the possibility of data hacking taking a sharp trajectory.

Even more disturbing is the reality that bot attacks are sparing no device—from smart home appliances to smartphones. So, this brings us to the big question: Has the popularity of voice assistants come at the cost of security? In this article, we take an in-depth look at how cyberattacks affect those using voice assistants and how you can leverage SAST solutions from Kaiwan to secure your applications and, more importantly, your code.

Surfing to Dolphin Attacks: The Different Types of Voice Assistant Security Flaws

Most digital assistants today require a voice command to activate “Ok Alexa” or “Hello Siri,” as it informs them that the user is ready to pop a question. As such, any uttering on TV or radio can accidentally spark the assistant to live status. While this might seem harmless, once the voice assistant is up, it will record everything and store it on its servers. So, if you forget to delete a saved audio file, botnets may sniff and grab confidential data in a jiffy. However, this is just the tip of the iceberg.

Here, we dive into the top vulnerability points you should know when using voice assistants.

1. Eavesdropping

A couple in the US recently discovered that their Alexa-based Amazon Echo Home Hub had picked up one of their private conversations and sent it to a person in the husband’s contact list. In their defense, Amazon responded that the mishap was due to “an unlikely string of events” and conceded that the smart app had misinterpreted the speech- as most digital assistants tend to do. The exchange was harmless- apparently about flooring- but imagine if it was more delicate.

Digital assistants like Google Assistant, Alexa, and Siri use voice recognition as their primary technological interface. This means they are always eavesdropping, even when not in use. According to researcher Mark Barnes, a hacker can utilize any voice assistant as a potential listening device to pique confidential data.

2. Remote Control

What’s worse than waking up and finding your most intimate photos flooding social media? Researchers from Washington University recently uncovered a new trick to infiltrate voice assistants through inaudible ultrasonic waves. Dubbed “Surfing Attacks, “this method can exploit various smartphone features (iPhone & Android), from phone calls to reading messages, without touching the gadget.

Using a tapping device, a signal processing module, and an ultrasonic transducer, hackers can quickly propagate voice command signals to interfere with your device through mechanical coupling. The assistant will “think you are saying a command” and proceed to release critical information.

However, the worst-case scenario of this technique has yet to be unraveled. Experts warn that these high-frequency commands (above 20 kHz) could ‘overhaul’ your entire digital system. They could download a virus, add false events to a personalized calendar, or, even worse, send unsolicited messages.

3. Privacy

Who doesn’t love a bit of privacy with their devices? Who likes changing passwords now and then?

Sadly, with hackers on our necks, the aspect of authentication (and verification) continues to be a pitfall.

Researchers recently uncovered the absence of potent user authentication systems in most digital assistants. Hence, hackers can meddle with various smart cars, smart home systems, and other devices.

Enter ‘LightCommands’.

LightCommands inherently exploit flaws in MEMS systems by injecting voice sound into the assistants’ microphones using laser rays. So, the attacker doesn’t have to be close to the target device; they can focus laser light from separate buildings and within a distance of 110m.

Additionally, many smart devices or programs don’t use end-to-end encryption, leaving essential data open to third parties to mine. For instance, the Allo messaging app—a Google product—uses voice assistants without encryption.

How Do You Protect Yourself?

A cybersecurity expert at NET BOX, Michael Gazeley, shares the following insights:

“Most IoT devices are a hacker’s dream; each smart device is potentially another way into your home- to access data, abscond with your money, or steal your identity.”

And we couldn’t agree more.

Voice Assistants offer many conveniences. Yet, for some reason, products using IoT (the Internet of Things) end up as honeypots for rogue access.

Smart assistants may test our wit because they raise a challenging question: Can intelligent assistants be hacked?

The answer is essential since your privacy and personal information may be at stake.

The correct answer is YES—under certain conditions, hackers can exploit digital voice assistants’ vulnerabilities. But you can take a couple of steps to protect your information.

It’s important to filter the kind of information you feed to your voice assistant. What it doesn’t know can’t hurt you. Start by learning how to configure settings. Add this to the fact that you may not know who can access your data- a voice assistant compiles and stores too much. After all, limiting loopholes is the first vital step to prevent hackers from hauling personal data.

Here are more tips to help you stay more secure:

Watch what you connect

It’s imperative not to connect security functions, such as a door lock or surveillance camera. You wouldn’t want a thief to shout “Open the Door” only for your digital assistant to oblige! Moreover, disconnect features that link to your address or your calendar- often rich data sources.

Mind what you share

Your credit card information, passwords, and other credentials are just some of the things you don’t want your voice assistant to know.

Delete Commands

Smart assistants allow you to bin commands or listen past them. This is an effective way to wipe any critical data you don’t want lingering around. Remember, Siri or Alexa can always “re-learn” commands, and quickly too.

Turn off the microphone

Mute your voice assistant the next time you look away, go shopping, or nap. That’s the easiest way to get it to stop listening.

Switch off purchasing

Often, smart assistants can run purchasing errands. Any hacker sniffing the device can make a buy. That could be disastrous. The solution? Set up purchase credentials and keep them a secret.

Stay on top of your networks

Rather than an open hotspot, consider using a WPA2 encrypted Wi-Fi. If you occasionally have guests over, create a guests-only Wi-Fi network. Also, add unsecured IoT devices to that list.

Enable voice recognition

You may have heard this a gazillion times, but configuring your digital assistant for voice recognition is a proficient way to avoid hackers. Tune it in such a way that it only recognizes your voice.

Strengthen your passwords

To prevent remote intrusions like the case with “Surfing Attacks,” use 2-factor authentication to beef up your device’s security.

Wrapping Up 

Voice assistants carry the risk of regular cyber-attacks, and hackers will stop at nothing to exploit any vulnerabilities. The best way to protect your device is by minding the information you share.

For developers who want to secure their code from hacking, sniffing, eavesdropping, or any other type of cyber-attack, DevSecOps is the way to go. Kiuwan enables you to leverage SCA and SAST solutions to deliver high-end security to the application. Our tried-and-tested scanning tool can detect flaws in software inputs/outputs and conduct efficient testing. Add to that our capability to provide your software with lightning-fast and scalable shielding within any DevOps ecosystem, and you’re sure to avoid recurrent security issues now and into the future. To learn more, request a trial today.

In This Article:

Request Your Free Kiuwan Demo Today!

Get Your FREE Demo of Kiuwan Application Security Today!

Identify and remediate vulnerabilities with fast and efficient scanning and reporting. We are compliant with all security standards and offer tailored packages to mitigate your cyber risk within the SDLC.

Related Posts

A Guide to Code Portability-updated

A Guide to Code Portability

As applications need to operate across multiple environments, code portability has emerged as a topic of focus for developers. This guide will help you understand what code portability is and…
Read more
© 2024 Kiuwan. All Rights Reserved.