This is a presentation on the state of data security in voice assistants. While this focuses on the current market leader, Amazon's Alexa, the material in this presentation can be more broadly applied.
All opinions are my own.
2. tl;dr Alexa collects your audio
www.hackerhalted.com 2
• But you already knew that..
• What you may not know is what that audio contains
• ..or how its stored
• ..or who it’s shared with
• ..or what to do about it!
3. Alexa is always listening
www.hackerhalted.com 3
• The mute button is designed to be irritating
• Alexa is almost the perfect listening device
• Alexa is basically an excellent microphone with a computer attached
• 2nd gen Alexa’s had a 7 mic array
• Newest one comes with 4 far-field microphones
• Easily triggered by design
• The inverse square law means sound drops by 6db for every doubling of
distance
• So far-field mics must be extra-sensitive
6. Alexa is always recording
www.hackerhalted.com 6
• Recordings are kept indefinitely
• Recordings are kept in a large collection
• Recordings are not protected by strong access controls
13. Alexa doesn’t just record voice
www.hackerhalted.com 13
• The audio landscape around us rarely has a single sound event going
on
• New apps and papers reveal that voice is not the only thing that's
recorded
• Environment, emotions and health are also recorded
26. Alexa is not the only snitch
www.hackerhalted.com 26
• Google and Siri are also designed
this way
• Google plans to turn some
phones into Alexa devices
• Baidu and Sonos are catching up
• Even without these, listening
devices are pretty cheap
30. Snitches get stitches
www.hackerhalted.com 30
• You knew this was coming..
• Be mindful of the audio you produce
• Consider shaping that landscape
• Dampen or mask areas like you were a
cold war spy
• Help out with an open source on-prem
voice assistant
• Shut your mouth
• Know and respect the actors trying
to protect you
40. Conclusion
www.hackerhalted.com 40
• Alexa is always listening
• Amazon is always recording
• Alexa doesn’t just record voices
• Alexa isn’t the only snitch
• Snitches get stitches
41. The end – Thanks for coming!
Wes Widner
Cloud Engineering Manager Crowdstrike (we’re hiring engineers)
wes.widner@crowdstrike.com
@kai5263499
https://github.com/kai5263499/audio-security-awesome
www.hackerhalted.com 41
Amazon’s letter to U.S. Senator Chris Coons (D-Del.)https://www.coons.senate.gov/imo/media/doc/Amazon%20Senator%20Coons__Response%20Letter__6.28.19%5b3%5d.pdf