By Stephen Cobb
Warning: if you plan to read this article out loud in the vicinity of an Amazon
Echo device you may want to turn off its microphone before doing so (for
reasons that will become clear in a moment).
This article offers tips on securing the Alexa
service on Amazon Echo devices; it is not about the security of dollhouses,
although dollhouses do come into the picture, so to speak. The shorter version
goes like this:
1.
The default
Alexa settings allow anyone within hearing distance of your Echo device to
order goods and services on your Amazon account;
2.
This includes
children and voices on the radio or television;
3.
Alexa will
offer to sell you things even if you are not looking to buy them, for example
if you or your child were to say “Alexa, what’s a popular drone?” it will
offer to sell you one;
4.
You cannot
tell Alexa to cancel a purchase. You have to use the app or Amazon website;
5.
You can
protect Alexa’s voice purchasing feature by adding a confirmation code;
6.
You can turn
off the voice purchasing feature completely;
7.
You can turn
off the microphone on the Echo, for example if you want to have a discussion
about Alexa without it interrupting you;
8.
You can stop
Alexa talking by saying: “Alexa stop”;
9.
You can
change the trigger or wake word from “Alexa” to “Amazon” or “Echo’;
10.
The Amazon
Echo has been around for a while, but because it was such a big seller this
past holiday season, a lot more people are being exposed to this technology for
the first time, exposing certain misconceptions about how it works.
The dollhouse
connection
The longer version of this story began last week,
in San Diego, California, which is where I live. A local TV station did a piece
about a six year-old girl who ordered a $160 dollhouse from Amazon, via Alexa,
without her parents’ knowledge or permission. At the end of the story, when the
anchorman repeated what that little girl was reported to have said – Alexa,
order me a dollhouse – people in San Diego started calling the TV station to
complain. Why? Because the Alexas in their homes and offices had started to
respond to that request.
So how could this happen? Amazon Echo devices
connect to your smartphone, and your internet connection and, if you have one,
to your Amazon Prime account (with its streamlined 1-Click ordering
capability). That means they have a lot of information and processing power at
their virtual fingertips, as well as extensive digital communication
capabilities, not to mention financial resources (your preferred method of
payment).
And the Echo is designed to respond to the human
voice. If you say “Alexa what is the weather?” within 20-30 feet of the device
it will answer. It can speak to you through its speaker or one you connect to
it, either wired or wireless. Let’s be clear about what is meant by “respond to
the human voice.” At this point in time, pending changes to the
product, it means “responds to any human’s voice” and not just the voice
of the person whose installed it or whose account is linked to the device. That
means it could be the voice of a guest, a child, or a roommate. All of them
could potentially buy things on your account if you’re the one who set up the
device and you didn’t change the default settings – about which there will more
in a moment. So a lot of people have been learning what XETV in San Diego
discovered: the list of potential users of your Alexa includes people on
television (see “News anchor sets off Alexa devices around San Diego ordering unwanted
dollhouses“).
How can this be? Well, the standard settings on a
freshly installed Amazon Echo make this all very easy. Consider this scenario:
you and your friends are discussing drones and you decide to ask your newly
installed Amazon Echo which drone is the most popular; you say “Alexa, what is
the most popular drone?” Alexa will respond by telling you the make and model
and price of the most popular drone sold on Amazon.
In one sense that’s pretty cool. The technology is
impressive. But immediately after giving you those details, and I mean without
even taking a breath, Alexa will say: “do you want to order?” If you say yes,
tada! The item is ordered, charged to the card you listed in your 1-Click settings
at Amazon.com, and shipped to your designated 1-Click shipping address. And get
this: you can’t tell Alexa you have changed your mind. If you ordered in
error you have to use the Alexa app or Amazon website to cancel the order.
Alexa, stop!
At this point you might be thinking: “just say no!”
But here’s what happens in that scenario. If you say no to Alexa’s offer to
ship you that first drone suggestion, then it will proceed to tell you
about a different drone and ask if you want to buy that one instead. Based on
my own research, I think that’s how you end up with a $160 dollhouse. Alexa’s
first pick for a dollhouse costs about $80, but the second pick costs twice
that. Basically, your child or roommate doesn’t need to know the make and model
of the thing they want; Alexa is more than happy to supply multiple
suggestions.
So how do you say no? How do you make this stop? In
a moment I will get into changing the default settings for Alexa, but even
before you get to that point you might want to know how to cut Alexa off when
she is talking and pitching products.
I don’t recall seeing this addressed in the stylish
but minimalist documentation that came with the Echo Dot device I bought.
So I asked one of my ESET colleagues, a family man who installed an Echo at
home some months ago. He replied: “I talk to Alexa like she is one of children,
I say ‘Alexa stop’ and that seems to work.”
I tried this on the test device in my office
and it works, but it would be nice if the product came with clearer
instructions about how to control it at such a basic level. I found you can
also say “Alexa cancel” and that will stop the current activity but bear in
mind that phrase does not work to cancel an order after it has been placed.
It also bothers me that the default setting of the
Alexa Echo system is Voice Purchasing On, Confirmation Code Off. Changing these
settings is easy enough using the Alexa app that you installed on your phone
during installation of your Echo, as shown in the above screenshot. When I have
mentioned this concern in conversations with friends and colleagues the almost
universal response has been: “Well, it’s in Amazon’s best interest to make it
as easy as possible for people to buy stuff.”
What is not easy is having a conversation about
Alexa within earshot of the device. There are a couple of ways around
this. One is to turn off Alexa’s microphone – that’s what is happening in
the picture above where Alexa is glowing orange instead of blue. Another
option is to change the trigger word from Alexa to Echo or Amazon. However,
both of those alternatives could easily come up in conversation. I would
not be surprised to see Amazon upgrade the Alexa software at some point to
enable you to choose your own trigger word.
The security takeaways
At this point you may be thinking that this is all
very interesting, but in terms of cybersecurity it’s no big deal. After all, an
unexpected dollhouse on the doorstep might be a tad inconvenient, but it pales
in comparison with something like a ransomware attack that encrypts all of your
family photos and holds them for ransom. In many respects I agree, but I
do see some potential security lessons in the Alexa dollhouse story.
1.
Products
should never ship with “insecure” default settings. Security professionals
have been through this discussion many times in the past. If the default
install is “allow all” rather than “deny all” you are likely to get some
amount of unexpected or unwanted allowing, like a TV broadcast ordering a
dollhouse.
2.
Technology
purchasing decisions, even domestic ones, should be preceded, or at least
accompanied, by a risk-benefit analysis.
3.
Consumers can
do risk analysis, but they can’t do good risk analysis if they don’t have all
the facts. Just to be clear, at this point in time I have no knowledge that
Amazon is holding back facts. What I’m saying here is that the company could be
more upfront about how the technology works and what its limitations might be.
4.
Risk
tolerance varies between people. For example, some people stopped using
the internet after the Snowden revelations. A certain percentage of people
don’t bank online because they don’t think it is safe. And in the survey
ESET did a few months ago, 40% of consumers were “not confident at all”
that IoT devices are safe, secure, and able to protect personal information” (see Internet of Stranger Things).
5.
The security
of any given technology depends on the environment in which it is deployed, and
unfortunate realities can impose limitations. An open microphone to an
artificial intelligence with the power to make things happen in the real
world offers many benefits, and I have not yet seen any evidence that
Alexa is being abused for malice or gain; but I am sure some people somewhere
are thinking about doing just that.
6.
The potential
for unexpected and unwanted consequences from deploying technology tends
to increase in step with the capability and complexity of that
technology. I don’t think Amazon contemplated about the TV news story scenario.
Some of colleagues think Amazon did, but shipped anyway, perhaps figuring
it is no big deal or, maybe Mr. Bezos decided there is no such thing as bad
publicity.
One other topic that frequently comes up in
discussions of Alexa and other voice-enabled technology is privacy. Sadly, I
have run out of room and time to discuss that aspect here. Fortunately, I
did make some time over the holidays to explore more than one
voice-activated IoT device and will discuss what I see as the privacy
implications in another article.