This is a presentation on the state of data security in voice assistants. While this focuses on the current market leader, Amazon's Alexa, the material in this presentation can be more broadly applied. All opinions are my own.

1. Alexa is a snitch!
WesWidner – CrowdStrike

2. tl;dr Alexa collects your audio
www.hackerhalted.com 2
• But you already knew that..
• What you may not know is what that audio contains
• ..or how its stored
• ..or who it’s shared with
• ..or what to do about it!

3. Alexa is always listening
www.hackerhalted.com 3
• The mute button is designed to be irritating
• Alexa is almost the perfect listening device
• Alexa is basically an excellent microphone with a computer attached
• 2nd gen Alexa’s had a 7 mic array
• Newest one comes with 4 far-field microphones
• Easily triggered by design
• The inverse square law means sound drops by 6db for every doubling of
distance
• So far-field mics must be extra-sensitive

4. www.hackerhalted.com 4

5. www.hackerhalted.com 5

6. Alexa is always recording
www.hackerhalted.com 6
• Recordings are kept indefinitely
• Recordings are kept in a large collection
• Recordings are not protected by strong access controls

7. www.hackerhalted.com 7

8. www.hackerhalted.com 8

9. And when a customer interacts with an Alexa
skill, that skill developer may also retain
records of the interaction.
www.hackerhalted.com 9

10. www.hackerhalted.com 10

11. Kept in a large repository..
www.hackerhalted.com 11

12. www.hackerhalted.com 12

13. Alexa doesn’t just record voice
www.hackerhalted.com 13
• The audio landscape around us rarely has a single sound event going
on
• New apps and papers reveal that voice is not the only thing that's
recorded
• Environment, emotions and health are also recorded

14. www.hackerhalted.com 14

15. www.hackerhalted.com 15

16. www.hackerhalted.com 16

17. www.hackerhalted.com 17

18. www.hackerhalted.com 18

19. www.hackerhalted.com 19
A treasure trove of fingerprints

20. www.hackerhalted.com 20

21. www.hackerhalted.com 21
Say AHHHH..

22. www.hackerhalted.com 22

23. www.hackerhalted.com 23

24. www.hackerhalted.com 24
I’m sorry Dave…

25. www.hackerhalted.com 25
Predictive crime

26. Alexa is not the only snitch
www.hackerhalted.com 26
• Google and Siri are also designed
this way
• Google plans to turn some
phones into Alexa devices
• Baidu and Sonos are catching up
• Even without these, listening
devices are pretty cheap

27. www.hackerhalted.com 27
Et tu, Google?

28. www.hackerhalted.com 28
A few bad Apples..

29. www.hackerhalted.com 29
Smart speakers everywhere!

30. Snitches get stitches
www.hackerhalted.com 30
• You knew this was coming..
• Be mindful of the audio you produce
• Consider shaping that landscape
• Dampen or mask areas like you were a
cold war spy
• Help out with an open source on-prem
voice assistant
• Shut your mouth
• Know and respect the actors trying
to protect you

31. www.hackerhalted.com 31

32. www.hackerhalted.com 32
If you’re not paying for it..

33. www.hackerhalted.com 33
Sound cloaking

34. www.hackerhalted.com 34

35. www.hackerhalted.com 35
But in all seriousness

36. www.hackerhalted.com 36
Manhandle Alexa

37. www.hackerhalted.com 37
Setting expectations

38. Shout out to the Mozilla Voice project
www.hackerhalted.com 38
https://voice.mozilla.or
g

39. www.hackerhalted.com 39

40. Conclusion
www.hackerhalted.com 40
• Alexa is always listening
• Amazon is always recording
• Alexa doesn’t just record voices
• Alexa isn’t the only snitch
• Snitches get stitches

41. The end – Thanks for coming!
Wes Widner
Cloud Engineering Manager Crowdstrike (we’re hiring engineers)
wes.widner@crowdstrike.com
@kai5263499
https://github.com/kai5263499/audio-security-awesome
www.hackerhalted.com 41