Spotlight on IoT Security: Did You Mean to Order That Gift?
With the holiday shopping season right around the corner, now is a good time to revisit some experiences from the last yearly spending spree to ensure you don’t end up with unwanted merchandise.
The Alexa dollhouse story was big news following the 2016 holiday season as Amazon’s Alexa device was a huge seller last year. Here’s a quick summary:
A California TV station reported about a six year-old girl who ordered a $160 dollhouse via Alexa, without her parents’ knowledge or permission. At the end of the story, when the anchorman repeated what that little girl was reported to have said – Alexa, order me a dollhouse – people in San Diego started calling the TV station to complain. Why? Because the Alexas in their homes and offices had started to respond to that request.
Note that the Google Home device also includes voice-activated shopping capabilities through partnerships with Walmart, Target, and other retailers.
And, because smart devices like Alexa can control many other items in the home, voices beside your own can cause other inadvertent actions.
During a recent NPR broadcast about Alexa and the Echo, listeners at home noticed strange activity on their own Echo devices. Any time the radio reporter gave an example of an Alexa command, several Alexas across the country pricked up their ears and leapt into action — with surprising results. In one case, Alexa reset a thermostat to 70 degrees. A Google commercial during the Super Bowl this year prompted Home to play whale noises, flip the hallway lights on, and recite a substitute for cardamom. As a series of actors barked “OK Google” commands on TV, the devices started doing what they were asked to do.
Bottom-line, these devices pick up anyone within hearing distance of the device.
In a previous article, we shared a few tips about how to keep your IoT devices secure. Here are a few precautions you can take to specifically address the potential of inadvertent ordering this holiday season:
- Both Alexa and Google Home provide the ability to turn off voice purchasing completely. This option is under the Settings menu in the app for both devices.
- Alexa provides the ability to protect voice purchasing by adding a confirmation code in the app. But note the code is viewable to anybody with access to the app, so this might not be enough protection against a tech-savvy member of your family.
- Both devices allow users to change the ‘wake word’ for the device, though neither device allows for custom wake words at this time. Use of a less-popular wake word could limit the instances of misuse.
- Both devices allow you to turn off the microphone – something of a ‘nuclear option’ given the intended purpose of the devices.
In commenting on the dollhouse-order-episode, several security experts noted the rather open approach to security from many IoT vendors. In this case, the issue is the fact that the default setting of the Alexa Echo system is Voice Purchasing On, Confirmation Code Off. Products should never ship with “insecure” default settings. If the default install is “allow all” rather than “deny all” you are likely to get some amount of unexpected or unwanted allowing, like a TV broadcast ordering a dollhouse.
Remote Workers and IoT Security: Is Their Smart Fridge a Threat to Your Business?
How to Keep Your IoT Devices Safe
Where Did Your IoT Device Come From
Common Security Flaws in IoT Products
Top 8 Security Design Principles for IoT Product Developers in the Private Sector