Over 66 million Americans own at least one smart speaker, and with hands-free activation and virtual assistance integrations through our phones, the technology is becoming popular in the modern home. Knowing how to secure your smart speakers and protect yourself from new sources of fraud will become essential to more and more households in the coming years. Are you prepared?
With a few words, users can control Wi-Fi and Bluetooth devices like light bulbs, TVs and thermostats. Their ease of use and cross-platform functionality make smart speakers an enticing piece of technology, but security flaws also make them vulnerable to attacks from cybercriminals.
How do smart speakers work?
On their own, smart speakers aren’t very intelligent. Without a connection to the internet, they can’t answer questions or access third-party services like music platforms and eCommerce sites.
Devices like Amazon Alexa and Google Home listen for a wake word before sending commands to the cloud for interpretation. Current smart speakers have limited memory and can only hold a few seconds of audio at a time. As soon as they record audio, they immediately delete it. The device continuously records and deletes a few seconds of audio while it waits for a wake word. Only after it hears the designated word will the device send an audio clip to a machine-learning algorithm for processing. At that stage, a neural network, which mimics the way humans associate words with meaning, interprets the input, matches patterns and triggers actions—like adding an item to your grocery list or changing an event on your calendar.
Are smart speakers vulnerable to security threats?
Like any device that is connected to the internet, smart speakers are open to attacks from fraudsters who want to acquire the personal information of users. Though reports of direct attacks on smart speaker users are few and far between, there’s evidence that the devices don’t always wait for a wake word to begin recording.
In some instances, smart speakers may accidentally interpret a random word or sentence as a call to wake up. In 2018, there were several reports of Alexa devices bursting into robotic laughter on their own. Although no sensitive data was exposed, such events indicate that the algorithms behind voice assistants are imperfect.
In October 2019, a vulnerability affecting Google and Amazon smart speakers was widely reported. According to researchers, malicious software developers could upload voice-controlled apps that secretly record users and ask for their passwords. This type of attack is known as voice phishing or vishing, and you can learn more about how to avoid becoming a victim in our comprehensive guide.
You may already have a smart speaker, or you may receive one as a gift. Either way, you will want to be sure that you’re not opening your home to an unnecessary security risk.
7 tips to you secure your smart speakers
No device connected to the internet is ever 100% secure, but with these tips, you can limit your exposure to risk:
1. Don’t share sensitive information with your device
Never share information with your smart speaker or digital assistant that you wouldn’t want a stranger to know. For example, you shouldn’t tell your assistant your passwords, credit card information, Social Security number, and various other personal identifying information that criminals can use to target you and your family. If an app on your device asks for this type of information, it could be a malicious piece of software.
2. Disable purchasing commands
Devices like Alexa come with pre-installed commands that allow you to make purchases with a simple voice command. This means that anyone with access to your device could make purchases with your connected account. You can disable this feature or protect it with a password that only you know. Do you really want your kids adding toys to your Amazon cart and placing the order?
3. Limit the type of devices you connect to your speaker
Many smart devices allow you to connect them to your speakers for hands-free control. This makes it convenient to change the channel on your TV, start your coffee maker or adjust the temperature of your home. You should be wary about connecting smart security devices like door locks and alarms so that potential intruders cannot control them.
4. Review and delete your recordings
Smart speakers like Alexa and Google Home allow you to review every command they have ever recorded. Using an associated app, you can see when someone has said the wake word as well as what commands were transmitted to the cloud. You can delete any sensitive information permanently via the app.
5. Enable two-factor authentication when available
If you connect third-party apps and services to your smart speaker, consider enabling two-factor authentication. For example, if you still want to make purchases via your smart speakers, you can require the device to send a confirmation code to your smartphone. This ensures that only authorized users are able to make purchases.
6. Secure your Wi-Fi network
Any web traffic to and from your smart devices must pass through your home’s Wi-Fi router. Ensure your network uses WPA2 encryption to protect your data. In addition, some routers allow you to establish a secondary network just for guests. This way, you can limit your exposure to risk.
7. Enable voice recognition when possible
Out of the box, most smart speakers can be controlled by anyone. Anyone within speaking distance of your digital assistant can issue commands. To reduce the risk of unauthorized usage, consider enabling voice recognition. This allows you to limit who is able to use the device. However, you should note that voice recognition isn’t a perfect solution and may not work consistently.
Smart speakers offer a high level of hands-free convenience for controlling the various smart devices in our lives. As with any technology, they are not absent of risk. If you take reasonable steps to protect your devices, you can limit your exposure to cybercrime. Visit our security center to learn more about how to protect yourself from scams both on- and offline.