Are the new talking home cylinders safe?

“Hey Google, set an egg timer for three minutes”. This kind of request, spoken casually in the kitchen, has quickly become normal in our home. How did we so quickly accept the idea of having a live microphone connected to the internet in our homes and what are the dangers?

Now that smartphone sales appear to have ceased growing (which isn’t to say they don’t remain high), tech companies are searching for the next device. Google, Apple and Amazon have all shipped intelligent speakers that listen for a trigger phrase and then understand our speech and answer questions or perform tasks.

The theory is that each of these devices listen locally for the trigger phrase: “Hey Google”, “Hey Siri”, “Hey Alexa” and only after that is audio captured and sent to the cloud for interpretation. Already though there have been two cases where this hasn’t been the case.

Shortly after launch in October 2017, some early press samples of Google’s Home Mini were found to be recording much more than this by Artem Russakovskii writing for AndroidPolice.

It turned out that the touch sensor on the top of the device, that can be used to start it listening in place of “Hey Google”, was triggering by mistake. I have one of the devices given out at the launch event but mine doesn’t have this problem. Google says it only affected a small number of devices and has been fixed via a software update.

Amazon Alexa has also been caught out. In May 2018, a couple in Portland, Oregon, USA received a call from the husband’s employee telling them that a recording of private conversations from their home had been sent to the employee’s phone. Amazon investigated, apologised, and explained that in this case the device had mistakenly heard the trigger phrase and started recording, then it mistakenly heard a request to send a message and then it mistakenly heard the name of the husband’s employee. Even more amazingly the device is said to have asked for confirmation and then mistakenly heard someone confirm.

Hardware bugs or over eager software bugs are going to continue to happen and perhaps the best advice is to check the activity log of your provider from time to time to make sure it’s capturing what you expect.

Apple, which has taken the high road on privacy, has yet to have an embarrassing Siri story but that day may come. Apple’s approach on the phones is to do as much of the AI interpretation of your private data on the device and perhaps that’s the future for their HomePod. Although speech recognition is best done in the cloud today, rapid improvement in machine learning silicon means that eventually the cloud won’t be required. Having said that, it’s likely that future devices will still be internet connected and still at risk.

Internet connected microphones in houses will be like a honeypot for hackers and undoubtedly they are a key focus for those who have successfully hacked network webcams in recent years. In August 2016 a site was reported that offered live streams from 73,011 private webcams. The problem in this is that many users don’t bother to change the default password on their camera.

Is the microphone switch enough?

Each of the devices has a microphone switch.

In an interview with Amazon founder Jeff Bezos he stated that it’s really a hardware switch that cuts off the microphone.  Users who’ve taken theirs apart have confirmed that voltage to the microphone is off when the switch is off.

The Google home microphone switch is reported to be a software switch but I have not confirmed this.

Apple’s HomePod has no physical switch but you can ask it to stop listening. (You’ll have to use an app to enable it again for obvious reasons).

In the end, if you want to be reasonably sure that your secret conversation won’t be relayed the power switch is your best bet.

Devices listening for spoken commands are increasingly rolling out. Smart TVs, many new smart speakers and no doubt other devices will gain speech recognition features in the years ahead and these should be viewed with suspicion if you value your privacy.

 



Written by Peter Marks for GovHack.
Peter Marks is a software developer and technology analyst.
He is a regular contributor to ABC Radio National and blogs at 
http://blog.marxy.org