I’m Going to Start This Blog out With a Story
The other weekend my roommate and I had some company over to our apartment. It was like any other Friday night – friends chatting, music playing, and a few adult beverages being passed around. However, as we were leaving to go out to the bars, one of our guests decided it would be hilariously funny to play a little prank. Unbeknownst to me, he used the voice ordering feature on my Amazon Echo (something that I had never turned on, utilized, or configured) to order some $6.99 furry, “Adjustable PU Handcuffs Ankle Bracelets.”
I’ll admit, at the time the idea was pretty funny and relatively harmless.
What he didn’t take into consideration though was that I shared the prime account he ordered from with the rest of my family. So, instead of charging me and shipping to my apartment, it charged my brother and shipped to my parent’s house.
Just in time for mother’s day!
As you can imagine, this led to some pretty interesting discussion in our family group chat as we tried to decipher if we’d been hacked or if someone in our family had picked up a few interesting new habits:
In the end, I got a confession/apology out of my friend and we printed out a return slip to send the handcuffs back to Amazon. No harm done. My newly formed trust issues with Alexa though – they might linger a little longer.
The Internet of Things
Post incident, I was quickly reminded of the crazy era we’re entering into, primed to be dominated by the evolving “Internet of Things” (IoT). I’ve written about the Internet of Things before, but a lot has happened since that blog. Every day technology is advancing, engraining itself into our daily lives.
Recently, we’ve entered into uncharted territory, where smart devices are now being leveraged to help solve crimes. In fact, this has already happened twice this year. In one case, Amazon had to turn over audio recordings from an Echo as evidence in a murder trial. Although it is yet to be revealed what Alexa heard (Amazon insists that it only records for a few seconds after the wake word) the fact remains that a smart speaker could determine whether a man spends the rest of his life in jail.
In another, a Fitbit was used to fact check claims that a man made about the killing of his wife. In this situation, investigators were able to use data from the device, as well as other sources, to poke multiple holes in the tale, ultimately leading to his arrest.
Let’s take it back to how I started this blog though, with a smart speaker. Never mind my (former) friend, it seems these personal devices aren’t even safe from corporate advertising. For example, back about a month ago, some marketing guru at Burger King came up with the brilliant idea to insert a Google Home trigger word/phrase into a Whopper commercial. Specifically, the totally natural sounding how-people-speak, “OK Google, what is the Whopper burger?”
Unsurprisingly, when aired, this caused every Google Home across America within TV earshot to activate and dictate a description of the burger. Ignoring that fact that BK teetered on the edge of chaos depending on an easily editable Wikipedia page to express their Whopper mission statement, this was an invasion of home privacy so egregious you almost have to respect it. As expected, Google released an update to stop the commercial from activating the devices.
The rise of the Internet of Things is a powerful movement that we still might not be ready for – both in regards to privacy and security. And as of right now, it’s still easily abused. Sure, it’s my own fault I didn’t check the settings on my Echo, but how many people even know this exists? And why was it enabled by default? What if he had ordered this modestly priced, tasteful $850,000 movie poster instead? (free shipping included, how generous!)
And this is only the start. Obviously sensing an opening in the market for a new selfie taking device, Amazon has recently unveiled the groundbreaking “Echo Look” which essentially puts a (potentially hackable) camera straight into one of the most private and intimate places in your home – the bedroom. What does this device do? Well besides having the obvious ability to take pictures, you can, “Get a second opinion on which outfit looks best with Style Check, a new service that combines machine learning algorithms with advice from fashion specialists.” Hopefully, Amazon has learned from Microsoft’s last foray into machine learning. Otherwise, it wouldn’t be surprising if trolls exploited the system to provoke Echoes into giving fashion tips straight out of Mad Max.
The fact of the matter is, as more and more “smart devices” become available, almost everything we do on a daily basis will eventually become a data point. That means our every movement will in some way, essentially be “hackable.” 5 years ago, it would have been ridiculous to think a speaker would be a star witness in a murder case. Soon, it might be commonplace. That’s not to say there isn’t potential for good here, too. These devices have the potential to enhance our lives in many ways that haven’t even been conceived yet.
What’s most important though is organizations must be cognizant of the security and privacy implications that come with a connected world.
Oh, by the way, I disabled the voice ordering feature.
Don’t miss a post! Subscribe to The Insider Threat Security Blog here:
Nate is a Marketing Manager at STEALTHbits and has worked in the IT Security industry for 5 years.