Is Your Smart Speaker Spying On You?
Those personal assistants everyone seems to be getting for their home are convenient voice-activated tools for an increasing number of tasks. But when Alexa and Google Home are constantly recording and uploading your voice to the cloud, a third-party server, you could potentially be exposing yourself to hackers, government intrusion, and corporate spying. Are these legitimate concerns or paranoid conspiracy?
Amazon Echo and Alexa
By now, almost everyone is familiar with Amazon’s voice-command personal assistant, Alexa – arguably better than Siri, but not quite as intuitive as HAL 9000, though that’s probably for the best. Since the technology was introduced in 2014, a number of iterations from Amazon and Google have been created to put smart speakers in the homes of every consumer.
These speakers are able to play your favorite song, order pizza, activate other smart devices, and maintain your calendar. But some of the other conveniences they can handle involve personal data, like locating your phone, accessing bank account information, and calling your loved ones. All of this is accomplished by having a microphone ready to start recording at any given moment.
These days, new technological advents are a double-edged sword; they’re increasingly convenient, but also increasingly intrusive. That microphone recording your request to order take-out is also uploading it to a cloud server; a third party that is able to do what it wishes with that information.
Now, it would require a lot of data storage to record and save everything, all the time, so the device waits for a wake word to start listening. Your recording is then sent to the cloud to be translated by voice recognition software.
Amazon calls this the Alexa Voice Service, or AVS, which one can access and use to build your own voice assistant with a single-board computer like Raspberry Pi. That’s why the basic versions of the technology, like the Amazon Dot, that don’t include a Bluetooth speaker, can provide the technology so inexpensively; it’s basically just a microphone that sends your voice recordings to software in the cloud.
So, if the technology is that simple, doesn’t that leave it vulnerable to hackers? Yes, it does. In fact, there have been several different successful hacks that have forced Amazon to warn users of design flaws and vulnerabilities.
On Amazon’s pre-2017 technology, one programmer created a malware code that could be installed on Alexa-enabled devices to make it stream recorded conversations directly to his computer. This program was installed by physically removing the rubber bottom and soldering a connection between the device’s internal hardware, an SD card reader, and his laptop.
Though this particular connection would have been blatantly obvious to the person whose device was tapped, he said he would be able to create a 3D-printed plate that could be easily planted and go unnoticed with more time and development.
Amazon’s response? Don’t buy one of their devices from a third party. This might be the only advice needed for most consumers, but for those unfamiliar with the technology, they may be unwittingly spied on in public places where Amazon products are starting to be planted. Last year, the Wynne hotel in Las Vegas announced it would put Echoes in all of its rooms, while Amazon is adamantly targeting other hotel groups to do the same.
But that wasn’t the only instance of someone finding a security flaw in one of these speakers. Hackers have found a way to translate voice commands into high-frequency pitches able to be heard by Alexa but not by you – kind of like a dog whistle. Again, to use this hack you must be close to the speaker, though it’s much more reticent than having to install something.
While just about anything can be hacked by someone with enough know-how, there have been cases in which these devices have been recording everything as soon as they were turned on, straight from the factory. One tech blogger found his Google Home mini-speaker was recording and uploading his conversations without him saying the wake word. Google has since fixed this design oversight, but it goes to show just how easily it could “accidentally” happen.
Can Government Subpoena Your Voice Assistant?
The technology has only been available for a few years and already the police have tried to acquire a warrant to access recordings from one of these always-on devices. In a case in Arkansas, police sought access to an Amazon Echo in the home of a man convicted of murder.
The company refused to hand over the information and told police that there wouldn’t even be anything there unless the wake word was used to activate the device. Eventually, the defendant agreed to allow the police access to the Echo, from which they found no incriminating evidence, and the case was dropped.
But it wasn’t just the Amazon smart speaker that the police and prosecution hoped to find evidence in, it was also his smart water meter. Prosecutors pointed to a large amount of water used between 1-3 a.m., the time it was thought the defendant hosed down his porch to clean off blood from the victim. The defendant said the am/pm function wasn’t accurate and that he used that much water 12 hours earlier to fill the hot tub.
It’s this level of detail that our web of smart devices can unwittingly tell others about our activity. The use of a smart electric meter can even be used to see what television programs we’re watching by matching electricity fluctuations with the brightness of the screen. Essentially, each program creates a unique power signature, that can be matched to monitor your television habits.
Because these devices are recording data and uploading it to a third-party server, it can be made public or sold to advertisers who can calculate your habits with metadata. It’s unclear whether this type of intrusive data collection is actually being employed by many companies, but it’s highly likely. And as more and more of our appliances become part of the Internet of Things or IoT, every time you use them, data will be mined and analyzed in order to monitor your behavior.
The ACLU has proposed a set of rules and regulations that should be adhered to by law enforcement and other third parties for the protection of consumer privacy, though they haven’t been written into any legislation yet. It seems that unless we figure out a way to prevent the sharing of all this personal information from the use of smart utilities, we may be offering up access to every minute detail of our lives.
Removing Smart Meters
One of the Oldest Conspiracies Proven True: Project Echelon
When Edward Snowden disclosed the vast conspiracy of a multinational surveillance apparatus, it was vindication for Duncan Campbell who spent decades uncovering one of the biggest facets of government overreach, Project ECHELON. And though it took nearly a lifetime to attain that justification, Campbell turned one of the oldest conspiracies into veritable fact: someone is always listening.
What is Echelon?
Shortly after WWII, five of the world’s major powers – the U.S., U.K., Australia, New Zealand, and Canada – signed onto a joint surveillance program in the aftermath of the Allies cracking the German “Enigma” and Japanese “Purple” codes. Understanding the importance of intercepting and monitoring signals intelligence, or SIGINT, these five countries, known as the Five Eyes, signed onto the UKUSA agreement, which divvied up segments of the world for each country to monitor.
Signals intelligence monitors all signals received from electronic communications, including radio, radar, telemetry, and just about any type of broadcasted signal. The advent of satellite technology in the late 50s matched with Cold War paranoia led to a rapid expansion of the program, indiscriminately monitoring all communication signals worldwide. Project P-415, nicknamed ECHELON, became the dragnet surveillance program between the five nations, though it was controlled entirely by the National Security Agency – the American intelligence branch operating under the Department of Defense. The U.K.’s intelligence agency, the Government Communications Headquarters, or GCHQ, became the secondary arm of the ECHELON program.
Through ECHELON, billions of satellite communications were, and continue to be, intercepted and stored in facilities around the world, before being sifted through by computer algorithms searching for keywords that raise red flags. The technology is also able to target individuals using not just phone numbers, but also voice recognition software. The program’s capabilities allow it to target almost anyone on the planet including world leaders, businesses, and private individuals. Despite this fact, it has, more often than not, failed its ostensible job of preventing major acts of terrorism.
Where was ECHELON?
Though there are a number of ECHELON satellite intercept stations around the world, there are a few key locations pointed out by Campbell and other whistleblowers. The largest operation is located at the RAF Menwith Hill station in Yorkshire, U.K.,where over 300 million emails and phone calls are monitored daily. Campbell and colleagues have pointed out that a clear indication of ECHELON-involved stations are large geodesic domes, known as radomes. Beneath these domed enclosures are satellites, hidden from eyes that may be curious of their orientation.