Anthony Phipps, a PhD student within the Cyber Security Centre, comments on his research into audio cybersecurity and the security of voice computing in light of the pandemic.
Date: 13 August 2021
Changes in the working patterns of millions of workers should encourage us to look again at the cybersecurity issues surrounding consumer voice computing devices that are now present in many of our homes. Voice computing continues to revolutionise the way we interact with technology and the world. Voice assistants on our phones, in our vehicles, and in our homes have brought great benefits in terms of usability and accessibility.
During the last 12 months in response to the COVID-19 pandemic, many more people work remotely from their homes. Organisations have been quick to realise the benefits of remote and flexible working for both the employee and employer alike. Reduced sickness absence, greater productivity, employee satisfaction and the promise of reduced property costs have forced many organisations to accelerate digital transformation programs that facilitate agile working.
Many organisations have allowed tasks previously considered to be too sensitive from a security perspective to be conducted outside of company premises. Corporate risk appetites have had to change due to the constraints of government-imposed lockdowns and also the need to balance the health risks of communal travel for employees. This change has driven the need to re-assess the impact of working from home from a cybersecurity perspective. Whilst the security issues of homeworking are well understood with many mature technologies and processes in place, an often overlooked aspect of these arrangements is the proximity and use of personal voice assistants.
Voice assistants in smart speakers such as Amazon’s Alexa and Google’s Assistant can provide a lot of convenience, accessibility and productivity benefits that can be utilised whilst working. Common uses include creating diary appointments, to-do lists, reminders, messages, and even holding voice conferences. There are also specialist skills that even help you host meetings and transcribe notes for you. We know voice assistants are useful in our home life for automating everything from controlling our lighting to playing music, but they can also be helpful for work.
But consider how you would feel if your GP working from home maintained your medical appointments via a voice assistant? "Alexa, make an appointment for Mr Phipps to treat his embarrassing ailment at 3pm." Clearly, there are some things many people are not comfortable for third parties to share about you with other organisations. Voice assistants rely on cloud service provision and third party skills to deliver functionality to the user.
So the key questions to ask yourself: Do you know when these devices are listening to you? Do you know how secure they are? And do you know where your data goes?
Voice assistants in smart speakers and consumer devices are often unauthenticated at the point of use and are subject to an array of emerging threats as diverse as fake skills that steal your data, responding to near-silent and hidden commands, and even being triggered remotely by directed laser light signals.
Voice assistants, therefore, offer great benefits but like all technology, the cyber threats must be managed if used in the new “workplace.” The risk of having these devices in the vicinity of the home workplace can be largely controlled by following 7 simple steps:
- Use the same care when installing voice skills as you do when installing applications
- Do not use your personal voice assistants for your work if that involves sensitive or personal data that isn’t yours
- Enable security features such as 2 Factor Authentication and Voice Recognition if available
- Place smart devices on a separate network in your home
- Place smart speakers on mute if not used for work
- Relocating the device if necessary for high-security occupations
- Review your settings regularly and keep your device's software up to date
