Australian consumers are largely unaware that new smart speaker technology can leave them open to having personal information accessed by hackers using any connected device like thermostats, baby monitors, web cams and recording devices through the explosion of ‘smart skills apps’.
A new report by cyber security firm Xpotentia has highlighted the threat to Australian consumers through the increasing reliance on smart speakers like Amazon’s Alexa and Echo units via any internet enabled device connected to the units.
“Australians are unaware that turning their home in to a ‘smart house’ using their brand new smart speaker unit has the potential to open the door to hackers obtaining their personal information through ANYTHING they connect to their smart speaker device,” Xpotentia Managing Director, Sorin Toma said.
“It is estimated that there are between 13,000 and 15,000 ‘smart skills apps’ out there, specifically designed to connect smart speakers to a consumer’s other personal devices. And there are more hitting the market every day. This can turn your smart speaker device into an all controlling entity in your home.”
The report highlights that a skilled hacker could harvest personal data using a ‘spearphishing’ attack on individuals to obtain their Amazon login details and steal their identities.
This is because, while smart speaker units have their own security parameters, the parent company is not responsible for the actual smart skills apps, nor the ‘packets’ of information that travel between any of your devices connected to the smart speaker.
“The company that owns the smart speaker is only responsible for security of the unit itself and not for the ‘connection’ between your smart speaker and a third party device. This includes your home’s thermostat, baby monitors, webcams, digital recorders and more. This is providing a conduit for hackers to ‘get into your life’,” Mr Toma said.
“Any hacker with a basic ability to hack wi-fi networks could see the data flowing between a smart speaker, smart skills apps and connected devices.”
“The rule of thumb is that hackers are always moving faster than security technology. With so many new smart skills apps coming onto the market to connect our lives to our smart speakers, it’s only a matter of time before we start seeing major cyber-crimes being perpetrated through this type of technology,” Mr Toma said.
Some of the vulnerabilities of the menagerie of smart skills apps include:
- Login process is not authenticated;
- Default option is to allow ‘auto-login’ – most people don’t know to change this;
- Communications with cloud not encrypted – that is, the packets of information between the device and the smart speaker are ‘unprotected’;
- There is insufficient protection of stored personal data;
- Some smart skills vendors have NO privacy policy or privacy settings.
The research briefing also contains hints for consumers to protect their smart home systems and can be found at www.xpotentia.com.au
Sorin Toma is a cyber-security expert with 30 year’s experience and is the former Principal Adviser, Cyber Security for UNSW.
