Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

3/15/2018
10:30 AM
Menny Barzilay
Menny Barzilay
Commentary
Connect Directly
Facebook
LinkedIn
Twitter
RSS
E-Mail vvv
100%
0%

Voice-Operated Devices, Enterprise Security & the 'Big Truck' Attack

The problem with having smart speakers and digital assistants in the workplace is akin to having a secure computer inside your office while its wireless keyboard is left outside for everyone to use.

Let's welcome the new members to the cybersecurity threat landscape, ladies and gentleman, a big round of applause for ... sensors! As you undoubtedly know, the Internet of things (IoT) is enabled by sensors, allowing smart devices to respond to their environment by registering voices, movements, temperature changes, smells, and more.  

Sensors also introduce new cybersecurity challenges, not the least of which stem from voice-operated devices, smart speakers, and digital assistants such as Amazon Echo with its accompanying Alexa Voice Service (nicknamed "Alexa"). Though most voice-operated devices are considered primarily to be consumer products, these devices eventually will reach the corporate world (if they have not already), where they will present unique challenges when connected to corporate networks holding sensitive data.  

The "Big Truck" Attack
Imagine the following scenario: Take a big truck. (Yes, an actual physical truck.) Load it with huge speakers. Set the volume to maximum. Drive around New York, Berlin, London, or any other big city. Play a recording with various dangerous voice commands for Alexa (or any other voice-activated device). Sit back and watch the world burn.

Since you can use Alexa to do many things such as write emails, access data, and operate other smart devices, the ability to control it remotely could potentially cause data leakages, disruption of processes, and data integrity problems.

The Vocal Perimeter
By this point, I assume that you have guessed one of my two main points. Up until now, restricting access to sensitive systems by using physical means was, more or less, an easy job. Our offices have walls, locks, and security guards. With voice-operated sensors, it is not always possible to limit access through traditional security measures. Think of it as having a secure computer inside your office and its wireless keyboard outside for everyone to use.

I experienced this phenomenon firsthand when I gave a television interview about Alexa and privacy some time ago. After the interview, several people called me and told me that each time I said "Alexa" on TV, their devices entered the "listening" mode. That was an "aha moment" for me. My ability to control people's smart devices through the TV amazed me. After a while, it started happening to others as well. You might also have heard about the "dollhouse case" or the Burger King ad (which plays after a YouTube ad).

What Doesn't Work?
Biometric authentication, for one, doesn't solve the problem. In theory, Alexa could learn to identify authorized people's voices and listen only to the commands they give. But while this seems like a possible solution, the opposite is actually true. To begin with, there is an inherent trade-off between usability and security. Implementing such a system means that users would have to go through an onboarding process to teach Alexa or any other voice-enabled device how they sound. Compared to the status quo, where Alexa works out of the box, we are talking about a serious degradation in user comfortability.

Biometric identification also means false positives: if your voice sounds different because you are sick, sleepy, or eating, Alexa will probably not accept you as an authorized user. And this is not all — there are systems available (like this example of Adobe VoCo) that, by using a person's voice sample saying one thing, can generate a new sample of his voice saying another thing.

Haven't We Solved this Problem?
Yes, we faced similar challenges with Wi-Fi networks in the corporate world. While these networks are also not limited by physical walls, the use of encryption and passwords proved to be a straightforward solution, separating approved from unapproved users.

It is true that we could force password usage with voice-operated devices ("Alexa, password 1337, please turn off the lights.") But … in the cybersecurity domain, saying the password out loud is not considered to be the most secure method for authentication. Another possible solution would be changing the activation word for voice-operated devices. Instead of calling Alexa "Alexa," you would choose a unique name. This will dramatically reduce our ability to execute The Big Truck Attack. But you'll be forced to say the new name out loud every time you operate a device, preventing it from becoming a strong security measure.

While for some "home users" this risk might be acceptable, it will not pass muster on the corporate side. Worse, in many cases, it would be extremely dangerous to connect voice-operated devices (as well as other types of sensor-operated devices) to sensitive networks — and one should refrain from doing so.

Mission Not Impossible
One possible solution is taking a multidevice approach. In this scenario, several devices would be able to identify approved users simultaneously, dramatically improving security. For example, when Alexa hears a user speaks, she will "ask" his smartwatch for identification confirmation. The smartwatch, being able to "hear" him/her through the voice vibrations inside their body, would match Alexa's received command with the one she just heard. If both match, this can be considered a two-step authentication.

A similar scenario can be achieved with video cameras, matching face and mouth movements to the commands Alexa hears. The camera could tell Alexa, "Yes, I know this guy. He is cool." Still, in any case, we are facing a complicated situation that requires extensive research. Voice identification may solve some of the issues for home users, but it is still far from being suitable for highly sensitive corporate networks.

Related Content:

Interop ITX 2018

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the security track here.

Menny  Barzilay is a strategic adviser to leading enterprises worldwide as well as states and governments, and he also sits on the advisory boards of several startup companies. Menny is the CEO of Cytactic, a cybersecurity services company, and the founder of the ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
SchemaCzar
100%
0%
SchemaCzar,
User Rank: Strategist
3/16/2018 | 10:54:15 AM
IMPORTANT ARTICLE! Always-on voice recognition is a technology ahead of its safety
Anyone who doesn't treat Alexa or other voice-activated technology as the listening, and possibly spying, devices that they are is crazy.  These devices have nowhere near the precautions they need to keep their users safe.  It's not impossible to consider ways in which they could be made safe, but as the article makes clear, the technology to enforce those approaches is not deployed and probably not mature.

If I found one of them anywhere near an executive office, I would read them the riot act.
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
Unreasonable Security Best Practices vs. Good Risk Management
Jack Freund, Director, Risk Science at RiskLens,  11/13/2019
6 Small-Business Password Managers
Curtis Franklin Jr., Senior Editor at Dark Reading,  11/8/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-18980
PUBLISHED: 2019-11-14
On Signify Philips Taolight Smart Wi-Fi Wiz Connected LED Bulb 9290022656 devices, an unprotected API lets remote users control the bulb's operation. Anyone can turn the bulb on or off, or change its color or brightness remotely. There is no authentication or encryption to use the control API. The o...
CVE-2019-17391
PUBLISHED: 2019-11-14
An issue was discovered in the Espressif ESP32 mask ROM code 2016-06-08 0 through 2. Lack of anti-glitch mitigations in the first stage bootloader of the ESP32 chip allows an attacker (with physical access to the device) to read the contents of read-protected eFuses, such as flash encryption and sec...
CVE-2019-18651
PUBLISHED: 2019-11-14
A cross-site request forgery (CSRF) vulnerability in 3xLogic Infinias Access Control through 6.6.9586.0 allows remote attackers to execute malicious and unauthorized actions (e.g., delete application users) by sending a crafted HTML document to a user that the website trusts. The user needs to have ...
CVE-2019-18978
PUBLISHED: 2019-11-14
An issue was discovered in the rack-cors (aka Rack CORS Middleware) gem before 1.0.4 for Ruby. It allows ../ directory traversal to access private resources because resource matching does not ensure that pathnames are in a canonical format.
CVE-2019-14678
PUBLISHED: 2019-11-14
SAS XML Mapper 9.45 has an XML External Entity (XXE) vulnerability that can be leveraged by malicious attackers in multiple ways. Examples are Local File Reading, Out Of Band File Exfiltration, Server Side Request Forgery, and/or Potential Denial of Service attacks. This vulnerability also affects t...