SAN FRANCISCO -- Smart-home digital voice assistants such as Amazon Alexa or Google Home are safe to use as long as you strictly limit what kind of information they have access to, two security experts said at the RSA Conference here last week.
"Only use a virtual personal assistant in the cases where it's not sharing personal data," said Tony Anscombe, a global security evangelist at ESET, in a presentation Tuesday (April 17). "Be cautious and think about what you're giving Google Home or Amazon Alexa or any other virtual personal assistant."
In a separate presentation later that same day, Candid Wueest, a threat researcher at Symantec, recommended that users be selective about which other devices they link to the assistants.
"Have you ever imagined that there might be a day when you have some smart assistants at home knowing your life better than your partner?" asked Wueest. "Can they hold that data against you? Will the [robot] uprising begin, as in every good science-fiction movie?"
Google Home and Amazon Alexa, by default, always listen to your conversations. But they don't record anything until they hear specific keywords such as "OK, Google" or "Alexa." (You can change those default keywords to something else.)
Once the device hears the keyword, it starts recording and instantly uploads what you say to cloud servers, where the recorded speech is quickly processed into machine-comprehensible instructions that are passed back down to the devices so that they can carry out your commands.
Both Alexa and Google Home can play music or read out email messages. But they also interact with other smart-home devices, so that you can say "OK, Google, dim the lights," or "Alexa, turn on the TV," with the appropriate results.
That's where the potential trouble lies. Some smart-home devices collect personal information that you might not want to be learned by Alexa or Google Home. You can go into your Google or Amazon account and selectively delete old recordings, but then the device "unlearns" some of what it knows about your preferences and speech patterns.
"Once you start connecting all these other [smart home] devices, is Alexa finding out too much?" Anscombe asked. "Let's say I connect my Nokia [smart bathroom scale] to my Alexa device. I ask Alexa what did I weigh that morning, Alexa comes back with I weigh X. Alexa stores that interaction in the Alexa app and in my Amazon account."
"Suddenly, what was once in the Nokia system ... is now in the Amazon system and on my phone," he said. "Now I could go in and delete the Alexa interaction. But how many people realize you can delete the interactions, or that they're being stored, or have the time to go back and delete interactions that maybe hold personal data?"
Amazon and Google, of course, make these wonderful devices -- Wueest said that an estimated 31 million Alexa devices and 14 million Google Homes have been sold worldwide -- so that they can learn more about us and thereby sell us more things. But they and other advertisers and retailers may not be the only ones listening.
"It's the marketer's dream to have all the personal data in one place," Anscombe said. "But it's also the cybercriminal's dream. I could break into your Amazon account and see all your Alexa interactions. I would suddenly know a lot more about you.
"That might not be an issue," he said, "if you've got your phone and your lights and your thermostat connected -- except that they've got a pattern of when you're home and you're not home -- but if they've got your health information, or you're connecting other devices that are collecting your personal information, then I would [advise] caution."
Each of these devices has a button to turn the listening function off or on, and Wueest recommended using it often.
"If you're talking about your plans to take over the world, as you do every night, there's a physical button to mute," he said. "Of course, you have to walk over to the device to do that, and then to turn it back on, so you might forget to do it sometimes."
Overall, Wueest said, you have to treat your Google Home or Alexa device carefully, and to r The Best Smart Home Devices That Work with Google Home remember that you won't always need or want its assistance.
"Make sure that updates are automatically processed. Make sure that you're only linking to the device whenever you want it to be used," he said. "If you're not using the online shopping functionality, it may be better to switch it off. If you don't really want to use the calendar, don't link your calendar to it, or maybe use a different account. Be selective in what you link to the device."
"If you follow those guidelines about how to set up the device," Wueest added, "then the chances of your life becoming the next science-fiction horror movie are very small."