Security considerations for voice-activated digital assistants - ITSAP.70.013

Voice-activated digital assistants are a type of smart device that can control other devices when prompted by a human voice. They can perform a variety of tasks, such as checking the weather, adjusting the thermostat and playing music. Voice-activated digital assistants can connect to the Internet, allowing them to communicate with other smart devices and form a vast network known as the Internet of Things (IoT). Although they can be convenient, it is important to consider the cyber security Cyber securityThe protection of digital information, as well as the integrity of the infrastructure housing and transmitting digital information. More specifically, cyber security includes the body of technologies, processes, practices and response and mitigation measures designed to protect networks, computers, programs and data from attack, damage or unauthorized access so as to ensure confidentiality, integrity and availability. risks associated with voice-activated digital assistants before integrating them into your network.

On this page

How voice-activated digital assistants work

Voice-activated digital assistants come in various forms, such as smart speakers, smartwatches and smartphone applications. These devices respond to human commands through voice recognition technology. They record and listen for commands or trigger words. Once triggered, the device captures the request and searches the Internet for a suitable response or carries out the requested action. These devices also listen and parse conversation for the purposes of targeted marketing.

Voice-activated digital assistants use algorithms and machine learning to improve their performance over time. They create user profiles to identify individuals who issue commands, allowing for more personalized interactions. This involves saving voice recognition data and storing information about the resources and smart devices they use to fulfill your requests. For example, digital assistants may retain data such as websites visited and settings for controlling your home appliances or security cameras. Although digital assistants can create profiles to recognize voice commands from a particular individual, they will record and respond to any voice command they can interpret.

Risks associated with digital assistants

Voice-activated digital assistants are high-value targets for cyber threat Cyber threatA threat actor, using the internet, who takes advantage of a known vulnerability in a product for the purposes of exploiting a network and the information the network carries. actors who want to steal sensitive information. The interconnected nature of these devices means that a vulnerability VulnerabilityA flaw or weakness in the design or implementation of an information system or its environment that could be exploited to adversely affect an organization's assets or operations. in one digital assistant or a device connected to it can compromise CompromiseThe intentional or unintentional disclosure of information, which adversely impacts its confidentiality, integrity, or availability. the security of the entire network.

Cyber threat actors can take advantage of these vulnerabilities in various ways, including:

  • accessing personal information, such as
    • usernames
    • passwords
    • other sensitive account details
  • learning whether you are at home or away
  • tampering with other connected smart device controls to compromise security and integrity, such as
    • adjusting temperature settings
    • unlocking doors
    • disabling alarms

There are also additional risks tied to some of the features of digital assistants.

Storing voice recognition recordings and transcripts

Devices can retain a voice-to-text transcription when the device sends a recorded voice command to a cloud-based resource. This data could contain confidential information, particularly if the voice service was triggered accidentally. Be aware of vendors' privacy policies. Vendors often have terms that allow them to retain recordings or transcriptions for quality improvement or to share with partners.

Eavesdropping on sensitive conversations

Voice commands for activities like controlling lights or changing music have a minimal risk of capturing background conversation. However, there are other scenarios where captured background conversations can be risky. For example, connecting a voice assistant to a business platform to dictate the content of your emails could give it access to sensitive conversations. Threat actors can leverage this data to conduct dolphin attacks or make unauthorized purchases. You should turn on confirmation dialogs to minimize the risk of accidental or unauthorized transactions. This will prompt your device to repeat your command and confirm that you want to proceed. Modern devices that have on-device voice recognition can be safer.

Attack methods

Cyber threat actors could target your digital assistant through methods such as a "dolphin" attack or malware MalwareMalicious software designed to infiltrate or damage a computer system, without the owner's consent. Common forms of malware include computer viruses, worms, Trojans, spyware, and adware. .

"Dolphin" attack

A "dolphin" attack broadcasts ultrasonic frequency sounds which are inaudible to the human ear but trigger the recording feature in digital assistants. These high-frequency sounds can be embedded into videos, websites or even physical devices enabling threat actors to target digital assistants within range. By emitting these sounds, threat actors can trigger the digital assistant to initiate actions, such as transferring files, making unauthorized purchases and stealing sensitive data.

Malware

Malware is a common method used by cybercriminals to compromise digital assistants. It infects these devices through disguised applications, malicious attachments and links. Malware is very hard to detect and diagnose on digital assistants. Once inside, threat actors can use malware to record your voice and use the recording for other malicious activities, such as bypassing voice recognition authentication AuthenticationA process or measure used to verify a users identity. on your other devices.

Considerations for selecting a vendor

When selecting a vendor for voice-activated digital assistants, ensure you understand the terms and conditions in your vendor's end-user licence agreement. Consider the following questions when selecting a vendor:

  • Is there an option for a "tap to activate" mode?
  • Is there an option to turn off the listening function to safeguard private events and conversations?
  • What data is sent to their voice processing service?
  • What information is returned in response to a service or application request?
  • Who has access to raw voice or text data?
  • How is retained data used and for how long?
  • Is the data generated by the device encrypted?
  • Where is data stored?
  • Is data shared with any third parties?

Review vendors' privacy policies and security practices. Research reviews and security ratings to determine whether the vendor's databases have vulnerabilities or if their storage facilities have been breached. Consider products that offer local data storage options, as opposed to cloud-based storage. Storing data locally on the device can reduce the risk of exposure to cloud-based vulnerabilities and breaches.

Securing your digital assistant

When setting up your device or digital assistant, you should identify what potentially sensitive information it can access via your network. Consider isolating your digital assistant on a separate network, such as a guest network, to protect your main network should a compromise occur. You should also consider implementing the following best practices to secure your device.

  • Use a unique, strong password or passphrase for your digital assistant
  • Set a PIN on your digital assistant to prevent unauthorized use of the voice assistant
  • Use multi-factor authentication (MFA) to secure accounts and devices on your network
  • Turn off your digital assistant when discussing personal or sensitive information in its vicinity
  • Verify if your device allows you to turn off active listening features
  • Review the microphone permissions granted to applications on your device
  • Deactivate features that allow the digital assistant to perform security-sensitive operations, such as unlocking doors or controlling cameras
  • Disconnect remote access functions on devices if they are not required
  • Update and patch software and firmware frequently
  • Use a virtual private network (VPN) on the network to which your digital assistant is connected
  • Review permissions on your apps to determine whether or not they require access to your microphone and your conversations
  • Delete your voice request history regularly to ensure that there is no memory bank of your voice profile and the content of your conversations
  • Check your privacy settings and make sure you are not sharing more data than necessary
  • Download apps from official stores only, and avoid third-party apps that may be more likely to contain malware

Steps to address a compromise

If you suspect malicious activity on your voice-activated digital assistant or other smart devices, you must act quickly to minimize the potential damage. You should take the following steps:

  1. Power down the IoT device immediately
  2. Contact your mobile service provider to locate the point of intrusion and determine what data has been compromised
  3. Perform a factory reset immediately to remove any malicious software or configurations
  4. After resetting, update your device with the latest version and relevant security patches
  5. Consider both network-based and host-based monitoring solutions on your network
  6. Change the passphrases for all affected accounts and devices, ensuring they are strong and unique

Learn more about reporting cyber incidents to the Cyber Centre.

Learn more

Date modified: