Recently a TSCMi member brought to our attention a YouTube article referring to a hacking vulnerability of Amazon’s Echo, the audio personal assistant, to provide the opportunity for malicious use as an eavesdropping device. In truth this should not be a surprise. On line Hacking communities have recently been full of such vulnerabilities, and these are not just limited to the Echo. There are a number of similar “smart speakers” and apps that provide personal assistant functions on laptops, smartphones and tablets.

And they’re all smarter than you might think.

As well as the vulnerabilities highlighted above there are the inadvertent responses to mis-interpreted words said within range of such devices resulting in un-wanted purchases or the spontaneous sharing of conversation (as in an incident of erroneously shared conversation recently reported in the Press regarding private discussion in the home about flooring).

Whilst the manufacturers are responding quickly to address reported vulnerabilities should we really be able to trust such devices? Especially considering the vast community of enthusiasts determined to find such vulnerabilities and demonstrate their ability to exploit them; and the more maliciously inclined, intent upon more sinister purpose.

There are clear privacy issues relating to the deployment and use of such devices, but what of their impact upon the vulnerability of a business user to malicious eavesdropping?

First lets take a step back and consider what we have in the wider context. It is common practice, both at home and in the office, to ensure that access to PCs and tablets, and hence networks, is protected by username and complex password, and that there is a limited period of inactivity before such switch to sleep mode requiring a password to awaken.

What we have with smart speakers and similar devices is effectively a “PC”. With a “username” that can be overheard when used, no password, and with direct access to networks and data. Would that comply with any current IT security policy?

Secondly we have a microphone! And where there is a microphone there is an eavesdropping vulnerability.

The ability to overhear conversation remains, despite the rapid expansion of information held or transmitted in digital format, high value to those pursuing corporate intelligence or personal secrets with malice in mind – and particularly for members of the Press chasing that elusive scoop.

The opportunity to continue surveillance outside the “secure” boardroom or office, where conversation can easily migrate into sensitive and valuable subject areas, will also be sought. The presence of such a device may offer yet another valuable opportunity to the eavesdropper. Consider where you have that casual chat over coffee or in the hotel, restaurant, or at home.

Then consider the possible impact.

Before a conversation starts there is no “flag” which can accurately limit the level of confidentiality to which the content of the discussion might take. Neither is there any record of its “loss” since there are no missing copies, or audit trails, as with documents. This lack of audit has two significant business impacts:

• There is likely to be little evidence to say that the information discussed has been shared and hence there will be an assumption that all remains secure. Indeed when the overheard intelligence finally impacts the business the chances are that other causes are blamed; or it may even be put down to just plain bad luck.
• Even if there is subsequent evidence that the conversations have been overheard, if the extent of intelligence covered within conversations thus eavesdropped cannot be truly recalled, it will be difficult to accurately assess the impact. Unlike a file there is no true record of content, no start or end (the eavesdropping may have been going on for weeks or months) and no audit trail.

Now comes the conflict.

In the working environment common sense would direct strict control over both the deployment and use of such devices; if they are to be used at all.

In the home there is that pressure to keep up with the latest technology, and to accommodate the desire of family members who wish to make use of, what can be, a convenient and powerful Internet tool.

Countering the threat.

From the counter-eavesdropping perspective these devices are no different from the numerous other items of technical equipment with similar vulnerabilities to be found around the home and in the working environment. Their deployment and use must be risk managed in an appropriate and balanced way, and included in the overall corporate security strategy of the organisation. TSCM consultants can advise upon how this may be incorporated for a particular building or organisation.

However this will only cover those devices and apps of which the client is aware. As with other technical devices with potential eavesdropping capability the hardware can be concealed either as the device itself, or with the key circuitry built into an otherwise innocuous host. And such will only be revealed by a detailed and diligent TSCM survey.

And what of public places? Is that a smart speaker in the corner of the Lobby? Is the guy in the seat behind talking to his tablet? Or is his tablet listening to you?