Your smart speaker is designed to listen, but could it be eavesdropping too?
Ever since Amazon came under fire for being able to potentially listen in on people through its Echo smart speakers, and even transcribe what they were saying, I have been intrigued by the idea of how IoT could be used to snoop on us, unbeknown to the victims. Big tech companies behind Alexa-enabled and other similar devices have since taken steps towards making them more privacy focused, but I recently demonstrated a feature that you should be aware of.
Let’s cut right to the chase.
Trouble with an ex
I was recently asked by a friend to help check if she had been hacked, because she could not work out how her ex-partner knew specific information about her life and even private conversations she had had.
I first checked her phone and laptop by running ESET’s security software, and couldn’t see any malware or anything untoward. She mentioned that it was if her conversations were being listened to and mentioned some of what she had only said to others had been relayed back verbatim.
This is when I checked for listening bugs. I didn’t discover anything that shouldn’t be there. However, I was interested in the family’s Amazon Echo Dot smart speaker and asked who could have access to it. She told me that her ex-partner had set the device up two years previous, when they were together, and they both had access to the speaker via a shared account, but only she used it now.
As she hadn’t changed her Amazon password – or any other account passwords – since her breakup with her partner, this was a good place to start investigating. I wondered if the device could be used to eavesdrop remotely via the app by anyone with access to the account, which would have let them listen in to her conversations. I remembered I had heard it was possible, but I wanted to test myself that an Alexa device could be used as a covert listening device.
So I bought an Amazon Echo Dot and long story short, my gut feeling didn’t fail me.
The privilege problem
Some smart devices can be taken out of the box and immediately plugged in and used with default – and therefore usually insecure – settings. Obviously I have never been a huge fan of default privacy and security settings on the majority of smart (or almost any other) devices even after Amazon and a number of other technology giants have been forced to improve their settings in order to better protect users from intrusive practices by manufacturers or third parties.
Now, people don’t normally realize how easily the devices themselves could be used as spying tools by anyone (more precisely, the device’s admin) with illicit intent. (Obviously it’s not a security vulnerability if an admin can enable it via a checkbox – take note of Law #6 in Microsoft’s Ten Immutable Laws of Security: “A computer is only as secure as the administrator is trustworthy”.)
So, I set up my Echo Dot with a unique and strong password and enabled two-factor authentication using an authenticator app, and connected it to my phone. I was also able to connect it to my iPad with ease and I was relatively happy with the security,
I then went to “Devices” in the app and selected my “Echo Dot” and “Settings”, then enabled “Communication”. I then tapped on the “Drop In” feature to enable it. Then back in the “Communicate” tab, all I had to do was select “Drop In” and select my Echo Dot and I was able to listen in to the room that it was in. Easy as pie. I even logged off my home Wi-Fi and connected via 4G to prove I could easily do this from another remote location too.
When you Drop In and listen in to a room, the device light ring displays a spinning green light and it also makes a small ring sound to make those in the room aware of the Drop In. I was unable to Drop In with this light and sound turned off, but an unsuspecting victim might not hear it or simply think nothing of it. After all, these devices tend to make lots of sounds and always seem to have coloured light rings for some reasons.
I also decided to check the device logs via my app, but unfortunately there weren’t any logs or anything to suggest I had “dropped in”, which makes forensic evidence more difficult in such a situation. Logs in Echo Dot devices are called “Activity”, but there’s no way to record the use of the Drop In feature.
The spy in your smart speaker
Back to my friend now. When I asked her if there was a chance her Echo Dot could have been used to listen in, it seemed like she experienced a lightbulb moment. She noted that her Alexa would often have coloured rings spinning and she assumed the sounds were to do with her self-claimed “deluge of Amazon purchases” and other notifications.
She claimed that she simply thought that her Alexa was listening for keywords, rather than allowing anyone with her password to listen in on her. She immediately felt uneasy, changed her password, and made her phone the only device pairable with her Echo Dot.
Her device has not made any strange sounds or lit up unintentionally since, and she says she now feels far safer.
Is your home bugged?
There are lots of listening devices on the market, but those hiding in plain sight (and not normally thought of as ‘listening bugs’) are often the most commonly used. It goes without saying that we should be aware of their capabilities if they are going to feature heavily in our homes.
As a result, it is vital that people follow a few tips when using smart technology to remain safe and secure:
- Always use strong and unique passwords
- Enable two-factor authentication
- Review the device’s settings
- Only connect to devices that you own access to
- Do thorough account maintenance – configure user permissions and disable or remove accounts if they’re not needed
- Change the password if you suspect someone has access to the account who shouldn’t
- Turn off the device or disable listening mode when having sensitive conversations
iPhones as listening devices
Lastly, aside from the perhaps more obvious devices like smart speakers, did you know that Apple AirPods can also be used as listening devices? Few people seem to be aware that all that somebody has to do is turn on an accessibility feature called Live Listen on their iPhone and with AirPods in their ears, they can use the phone, left in any room, as a listening device. Who would suspect that an apparently “forgotten” phone was actually a deliberately planted “bug”?