I bought an Amazon Echo Dot. It arrived earlier this week. I love playing with it, and I think I will try writing a skill for it, just to see if I can.
The Dot works sort of like Apple’s Siri: the user says a word to awaken Alexa (the service) and then asks a question. For instance, “Alexa? What is the weather forecast for today?”, will – predictably – ask Alexa for today’s weather forecast. “She” can do a lot more, but this isn’t a post about Alexa.
The Echo products use on-device software to listen for the “wake word,” the default of which is “Alexa.” The user’s query or command is then sent to the cloud for processing. Amazon has assured users that the Echo doesn’t monitor sounds in the room and a quick glance at network traffic seems to confirm that. I’m not too worried.
The Echo has a touted mic array, but I have lots of mics in my house: mobile phones, landline phones, PCs, a Mac, laptops, tablets, and of course the headset I use for taking Learning Tree AnyWare courses. The point is, there are multiple vectors through which an attacker could be eavesdrop on me if that were the goal.
Reportedly, the Chrome browser and Samsung TVs can eavesdrop on users without their permission. There may be others. I have no idea. Wonderhowto.com has a somewhat dated article on how to access a compromised computer’s mic. The point is, it’s probably not rocket science to eavesdrop on a target. The ability of the NSA and law enforcement to listen to “turned off” cell phones is part of in multiple television episode plots.
The director of the FBI – James Comey – recommends placing a piece of opaque tape over your laptop’s webcam: he does it himself. He even calls it common sense. Gizmodo had an article this week about software to block attackers from accessing your webcam. I may have many mics, but I have cameras on my desktop as well as multiple laptops, tablets, and mobile phones. I do not have tape on all of them, but maybe I should.
When I was a little boy my mom told me not to write anything down that I didn’t want the whole world to read. Pundits and security experts have made that admonition to users of email in recent years. Should we also admonish users to keep silent, too? It is easy to cover a camera, but a mic is more difficult to obscure. Workers in classified areas must keep phones and other mics out of the classified areas for this reason. What about company confidential areas?
Choosing between allowing mics (especially on phones) and cameras for their business value versus requiring employees leave them outside some areas of organizations is difficult. Like most security issues, organizations need to think hard about this choice. It is a necessity to weigh the alternatives.
What are you doing? If you work in an area other than a classified government environment, do you prohibit mics and cameras? Is the compromise of those devices event on your radar? Let us know in the comments below.
To your safe computing,