Voice Assistants - Security Options
Voice Assistants - Security Options
January 30th, 2020
In the early days of voice assistants, they were synonymous with the term “smart speaker”. This is slowly being corrected as the role of the voice assistant changes. Voice assistants were first widely available with the release of Apple’s Siri in October of 2011 and the release of the Amazon Echo in November of 2014. Today we are seeing voice assistants being added to just about every product category. This whitepaper will focus on the limited security functionality that voice assistants offer today along with some suggested future enhancements for security and safety.
Current Voice Assistant Security Options
The primary focus of voice assistants is currently convenience, not security. Looking at the functionality of the Alexa and Hey Google voice assistants, you will find that “Voice Profiles” and “Voice Match” are available respectively for each product. You might assume these options were designed with security as the main purpose, but convenience and personalization are the primary functions of these options.
Alexa Voice Profiles
Figure 1. Alexa supported features.
Note the “Shopping” option of the voice profile lessens the security of the transaction. If one has enabled a pin for purchases, enabling voice profiles removes this functionality. Thus, if someone has a recording of you and access to your voice assistant enabled device, then they could possibly make a purchase without knowing your voice code pin. While this scenario may seem unlikely with the email verification from Amazon about the purchase, the next day delivery scenario and “porch pirating” adds credibility.
Google Voice Match
As shown in the feature list below, the primary focus is a personalized experience. There is nothing wrong with this approach but adding security options to the features below could improve personalized experiences.
Figure 2. Google assistant supported features.
Future Voice Assistant Security Solutions
The following are recommended security and safety enhancements for voice assistants. Some of these ideas are specific to a vehicle or a home, others can be used in a variety of products at home or the office. As your mobile device becomes more of a digital assistant, location-based functionality for your voice assistant will become the norm (assuming this feature is enabled).
Here are the future voice assistant items needed today to improve security:
- Processing location - all voice assistant requests to Alexa, Hey Google and Siri and other commonly used voice services are currently sent to the cloud for processing. This dynamic has generated privacy concerns especially with the recent news of employees listening in on some of the voice assistant requests (in an attempt to improve the service.) The user of any voice assistant enabled device needs to have the following three processing options for their requests:
- Local only - all voice assistant requests are processed on the intended device; the request is never sent on any network
- Local + LAN - all voice assistant requests are processed either locally or on the local network, but never sent to the cloud. This request is attempted to be processed by the device on which it was received. If unsuccessful, the request is sent to a local PC/server on the LAN capable of processing more advanced voice assistant requests.
- Local + Cloud - the voice assistant request is attempted by local resources (device & LAN) first. If unsuccessful, then the request is forwarded to the cloud of processing. All of this is transparent to the user making the request.
- Obviously, the processing power, level of artificial intelligence (futuristic) and nature of the question plays a huge role here on where the voice requests can be fulfilled. The security conscious user would select the “Local Only” option while the carefree user would probably opt for the “Local + Cloud” option.
- PC / Laptop Authentication (Home & Office) - most PCs and laptops today still use a password to authenticate to the device. Voice assistants can be used to securely authenticate to the home or work PC/laptop by requiring the user to speak any phrase. The integrity of the voice is checked against registered users, eliminating the need for a static voice password (which could be overheard by a coworker). In highly restrictive areas, voice could be required as an additional factor of authentication before or after the user enters in their traditional password via the keyboard. If either authentication fails, then the user is not granted access to the PC/Laptop.
- The location-based scenario allows the user to use voice only when authenticating in a previously designated trusted location (e.g. home). In untrusted locations, the default could be to require both voice and a traditional password entered via the keyboard. The owner of the PC/Laptop can determine the best authentication strategy to use depending on the location and value of the data stored on the PC / laptop.
- Vehicle Access - In addition to a traditional key, most newer cars are allowing vehicle operation using a proximity fob. While this is convenient for the vehicle owner and does provide a level of security, there are recent stories of vehicles being stolen using cloning techniques and radio replay attacks. Below is a recent article covering the recent theft of Tesla model X using one of these techniques:
- Hackers Could Steal a Tesla Model S by Cloning Its Key Fob - Wired.com
- If someone wanted to borrow your vehicle, then the voice assistant check would need to be disabled for a period of time. Even if the vehicle was stolen during this vulnerable period, you would have the ability to enable the voice assistant requirement immediately. This requirement would occur on the next attempt to start the vehicle.
- Home Access - Similarly to using your voice to authenticate to your vehicle, access to your home could also be controlled using this approach along with multiple options. For example, entry into the house could require two factors such as a visual check (using a camera equipped doorbell) and a voice check. Even if a passerby heard the phrase to enter the house, their voice would fail the voice test. There could also exist a “secret” phrase that if heard from a specific individual could trigger a call to the local police or neighbor. In a less threatening environment, a simple voice check at the house could unlock the house, turn on lights, play their favorite genre of music or TV station, and adjust the thermostat based on the individual voice detected.
- Mobile Device Authentication - Currently, most devices have basic PIN functionality while the higher end mobile devices include a biometric option like Face ID for device authentication. While these options may suffice for the consumer market, businesses may want an additional factor of authentication at the device level. This is where the voice assistant could provide another factor of authentication; access to the device is only allowed after successful entry of the PIN or biometric and passing a voice test. After the user completes the first authentication using a PIN or biometric, they would then be prompted by the voice assistant to speak a phrase. The device would do an integrity check to ensure the voice matches the registered owner.
- One dangerous scenario existing today is trying to unlock a mobile device while driving. While you should never be using your mobile device while driving, it would be much safer and quicker to unlock it with your voice. If you use Face ID or another biometric to unlock your mobile device, putting the device in front of your face or trying to position your finger to unlock it while driving is also dangerous. Unlocking your mobile device with your voice allows your passengers to safely access your device while your eyes stay focused on the road.
We need to get past the current scenario where voice assistants are used in limited situations with the primary focus being convenience. Using voice assistants as an authentication factor or access method will help increase security and safety in all the areas in which they are present.