Tag Archives: voice attacks

Internet of Things still not taking privacy seriously

It seems that companies developing the connected devices that make up the Internet of Things are in a constant race to release new technologies while potentially compromising on privacy.

It emerged this week that certain models of Samsung’s smart TVs are able to record conversations while voice recognition is active.

Samsung’s Terms and Conditions read:

“Samsung may collect and your device may capture voice commands and associated texts so that we can provide you with Voice Recognition features and evaluate and improve the features.”

“Please be aware that if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party.”

So while voice recordings will only be made while the feature is active, the Terms and Conditions do state that:

“If you do not enable Voice Recognition… while Samsung will not collect your spoken word, Samsung may still collect associated texts and other usage data so that we can evaluate the performance of the feature and improve it.”

I have blogged and spoken on privacy and the Internet of Things several times and it is disappointing to find that privacy and security are still not part of the design process for most consumer IoT devices.

First, in 2013 I highlighted the amount of data that is being generated by each and every user of connected devices, often without their knowledge or understanding.

Then, in 2014 I revealed how voice activated technology could be used to manipulate devices into executing unauthorized commands such as sending emails, or controlling a smart TV.

Video

How Voice Activated devices can be hacked

 

Here we have the two issues combined into one

  • End users are likely unaware that their data is being collected while using the voice command feature. Likewise they don’t understand that this data is used and shared.
  • The dangers of voice activated technology and how they can be used in potentially harmful ways. If you entered sensitive data such as a password via voice recognition, it may seem safe. Voice command records can be stored and stolen just like written files.

 

Users may not understand that while Samsung’s privacy policy contemplates the use of active voice commands, voice activation features can be used both actively and passively, meaning that devices can be constantly recording sound and identifying activation commands.

There is, as such, a potential for privacy issues here.

It’s about time that manufacturers of smart devices started taking the privacy and security of its users seriously. Only a few weeks ago a wireless baby monitor was hijacked and the attacker communicated directly with the nanny through the device.

After CES 2015, I commented that privacy should be at the very heart of the Internet of Things, a sentiment echoed by the FTC and its Chairwoman Edith Ramirez in their report on the Internet of Things.

Hopefully, it will not be too long before the public and electronics producers realize that going online should not mean surrendering your privacy.

The web gets ready for voice recognition

News broke earlier in January that Facebook has acquired Wit.ai, an 18 month old startup that specializes in voice recognition technology. At first, this might seem like a strange move but upon closer inspection, the rationale is clear.

Millions of users are turning to mobile as their preferred platform, where typing long messages and interacting with friends is far more challenging than on a PC keyboard.

It’s clear that companies like Facebook face a challenge to make mobile interaction easier and more engaging.

Using Wit.ai’s expertise, Facebook can build a mobile-first platform with a voice activated interface and text-to-speech messaging some obvious steps.

The Facebook acquisition highlights the excitement and potential behind voice recognition technology. We are potentially witnessing a fundamental shift in the way we interact with our technology forever.

As we start integrating voice activated functionality into new smart devices and services we use on a daily basis, my primary concern isn’t one of convenience but of security.

As I wrote in this blog in September 2014, there is much work to be done in securing our digital devices from voice commands.

Most voice recognition technologies scan commands for meaning and then execute them. I believe there is a need for an additional step, one of authentication.

Does the person issuing the command have the authority to do so? When I ask the device to execute a command, does it validate that it is really me and not someone else?

As I demonstrate in the below video, it is quite simple to have a device act upon a voice command issued by a synthetic voice or by a 3rd party that has an access to the device – even remotely:

Video

Voice hacking a device

 

As Facebook and other leading companies add more voice activation technologies to their roadmap, it’s important to realize that we are also increasing the number of services and devices that are potentially vulnerable to voice attacks. So considering this, , let’s build it with safety in mind.

Four trends that will change mobile in 2015

In fact in the US mobile web traffic exceeded desktop web traffic for the first time. Mobile is fast becoming the most convenient and cost effective to way get online but what does the future hold for our smartphones?

Here are my predictions on how our mobile worlds will continue to evolve in 2015.

 

Apps will become the primary target for hackers

While the first generation of mobile threats was primarily using vectors and methods seen in the PC world, we are beginning to see new threats specifically designed to exploit mobile devices. The threats is not just malicious apps, but also regular apps that are vulnerable to attacks.

Until now, the centralized software distribution model seen with the AppStore and Google Play has helped protect our devices from malware. This concept came as a lesson we all learned from the PC, where software distribution is not controlled and so malware is common. Apps on official stores are less likely to be malicious, but it doesn’t mean they are not vulnerable to attacks.

Hackers love to find vulnerabilities. Almost every software program has vulnerabilities that are waiting to be discovered and mobile apps are not an exception. As official app stores make it difficult for hackers to directly upload malicious apps, they have instead begun hunting for vulnerable apps to attack.

Vulnerable Apps are not always removed from the App stores and as many have been left unmaintained by developers, creating an opportunity for hackers to exploit them.

 

New threats will emerge

As a result I expect to see a rise in the discovery of mobile app vulnerabilities during 2015. Here are a few examples:

  • Voice activation – Voice activated software is a standard feature on smartphones and are also appearing in smart TVs and other Internet-connected devices. However many of the implementations are vulnerable to voice activation attacks. This is because it does not authenticate the source of the voice – it could be you speaking, or equally it could be a synthesized voice coming out of an app – yes, even a game can play a sound an send an email to your contacts on your behalf.

Video

How Apps Could Hijack Google Now

 

  • Mobile browsers – For the average user, browsers on mobile are very difficult to operate. Small screens mean you see only a fraction of the URL, making it easy disguise a malicious URL. Drive-by infections, which are well known to PC users, will soon come to mobile users as well. Not surprising, mobile browsers are also vulnerable to JavaScript exploits that can be triggered by a hacker remotely. That could mean streaming video to or from a device, even if it is locked.
  • Radio-based threats (Wi-Fi, Bluetooth, NFC) – mobile devices are constantly broadcasting over radio frequencies in order to connect and transfer data. Rough access points and over-the-air sniffers can capture transmitted data, reply with malicious content or even modify the values in the data over-the-air.
  • Masque Attacks and malicious Profiles – as mobile users have less visibility on the files being downloaded on the device, like the running processes and settings, hackers will continue to use these limitations to mislead the user to download and install malicious files to their devices from outside the Appstore. However apps on app store are also vulnerable and I predict the number of malware detections from recognized app stores to increase in 2015.

 

Data will become more valuable and more threatened

Mobile devices are much more personal than our PCs ever could be. The data on them is much more intimate and is a much more rewarding target for hackers. In 2015, I expect data, especially that held on our mobile devices, to come under much greater scrutiny.

In particular, I foresee three threats to our data in the coming year:

  • Physical tracking – criminals or law enforcement can use location data stored on your phone to identify important places (such as home or place of work), analyze behavior such as a daily route or absence from home.
  • Data stealing – in mobile, everything is broadcast through the air, that means data is vulnerable to being intercepted as it travels. Credentials, financials, transactions or payments can all be captured and recorded by 3rd
  • Commercial tracking – mainly done by retailers to better understand the behavior of their visitors. Think online analytics but for the physical world.

 

Payments will also go mobile

The public’s positive reception of Apple Pay heralded a new phase of consumer payment methodology. Although Apple is not the first to introduce mobile payment, their offering came at a good time and the implementation seems to be practical and secure.

As mobile payments are a new experience for consumers, I expect to see social engineering attacks where hackers will try to confuse and mislead in order to steal credentials and personal data. This is expected to be the first phase of attacks. Once consumers are more familiar with the technology, attacks on vulnerable apps and even on the payment services are expected to soar.