5 Ways to Secure Your Google Home Device

Although Google doesn't have the most popular digital assistant on the market (yet), its smart speakers — Google Home, Google Home Max and Google Home Mini — are quickly gaining market share and impressing users with a growing number of skills and abilities.

The Google Home and Google Home Mini.

The Google Home and Google Home Mini.

If you're new to Google Assistant, you may not know how these devices collect and store your information, nor how they relate to your existing Google accounts.

Because you have to use your Google credentials to set up and use Google Home and many Google Assistant functions, a significant amount of your personal information falls under the umbrella of just one company. This may be preferable to scattering your data among dozens or hundreds of third-party apps, but centralization does present some challenges.

"If you trust Google to take good care of your data in general, having it in one place versus all over the place is good," said Jeff Wilbur, director of the nonprofit Online Trust Alliance. "The danger, when it's all centralized, is if someone, somehow, gets access to your Google account, they have a rich set of stuff to look at — your voice queries, payment history and search history."

MORE: 5 Ways to Secure Your Alexa Device

As with any smart technology, there are a few general best practices when it comes to securing your network and devices. For example, you should change your default passwords, use a Wi-Fi Protected Access II (WPA2) protocol on your router, regularly update your device's firmware — which may not happen automatically, as it does with your smartphone apps — and set up a separate network and firewall for your smart-home products if your router allows it.

Once you have a strong and secure home network, take the following steps to further protect your Google Assistant-enabled devices.

Experts suggest that the biggest concern with Google Home is not the product itself, but which devices (smart-home gadgets) and accounts (banking) you connect to it, how many Google services you use and how vulnerable Google's servers might be to a attack.  

"Data sent from Google Home to Google is encrypted, so from that perspective, Google Home does not really introduce new security risks," said Craig Young, a computer security researcher with Tripwire's Vulnerability Research and Exposures Team. "Instead, the risks come from the possibility that Google's data centers would get compromised, and from the fact that Google Home users are encouraged to link their account with other services."

One option might be to create a new Google account specifically for use with your Google Home device, and to keep that new account separate from the credentials you use for Gmail and other Google products. If you can, avoid linking banking, credit card and other payment accounts to your device.

If you do connect your other smart devices or personal accounts (Netflix, for example) to your Google Home, understand which commands enable or disable those devices' and accounts' functions and whether any additional measures are available to secure individual devices. For example, Google Assistant can lock Schlage's smart deadbolt, but it cannot unlock it by voice command.

Enable Voice Match

Use Google Home's Voice Match function to get to know your voice, personalize your device's answers and prevent strangers from accessing sensitive information. If you and your family members enable Voice Match, Google Assistant will provide personalized music playlists, commute times, routines, news briefings and payment histories. The device will give you personal results only if it identifies your specific voice.

To set up Voice Match, open your Google Home app, click on your device, and tap "Multi user is now available," "Link your account" or "Get personal results with Voice Match" (depending on whether you are the primary user). You'll have to say, "Hey Google" and "OK Google" several times to train your device to recognize your voice, and each individual will have to follow the same steps from his or her own Google account.

MORE: How to Set Up Multiple Users on Google Home

If you don't enable Voice Match, and your Personal results feature happens to be on, then anyone can ask for and receive your personalized answers, which Online Trust Alliance's Wilbur said will make your device vulnerable. You can disable Personal results entirely in your app under Menu > More Settings > Devices.

Even if you use Voice Match, your friends or kids can still engage with your device; they just won't be able to get certain sensitive information. Google Home will support only six unique Voice Match users. It also isn't perfect, as similar-sounding voices may trigger your device.

Manage and delete your old recordings

Google stores your conversation history with your Google Assistant on its servers until you delete the recordings. Although simple functions like setting a timer and asking for the weather report are unlikely to compromise your personal details, questions about your commute, your bank balance and your health concerns could present risks — and hackers, as well as anyone with your Google account credentials, could find and use this information.

Listen to and delete your voice recordings on the My Activity section of your Google account. This is available in the Google Home app as well as on the web at myactivity.google.com. (The latter also shows your search and browsing history.)

MORE: How to Delete Recordings from Google Home

In your app, open the hamburger menu at the top left corner, click on My Activity and then manage individual recordings or sort by date to delete multiple files at once. If you are using a web browser, click "Filter by date & product" underneath the search bar and toggle the "Voice & Audio" option. From here, you can delete individual recordings, batches of files by day, or your entire history.

Deleting old recordings can degrade your Google Home's performance because the service uses this history to improve its responses. But at the very least, go through your queries on a regular basis and remove recordings that you wouldn't want a stranger to hear.

Use two-factor authentication for your Google account(s)

Two-factor authentication (2FA) creates another layer of security between malicious actors and your personal data. Your Google Home is connected to your Google account — which contains your Drive, Photos, Gmail, Music, search history and more — so if a hacker cracks your Google password, they'll have access not only to your device and voice recordings, but also much of what you do on the internet.

Although it's a bit of a process to set up, 2FA protects your data by making it nearly impossible for a cybercriminal, or even a prank-loving friend who has your password but lacks access to your smartphone, to log in to your Google account, listen to your recordings, or gain control of your Google Home.

Mute your device when you aren't using it

Google Home hasn't gone on any creepy laughing streaks triggered by misheard commands — ahem, Alexa — but that doesn't mean that your device can't or won't accidentally pick up and record sensitive conversations. Phrases that you think sound nothing like "Ok Google" and "Hey Google" may still wake your device, so mute the microphone if you don't want your voice recorded.

For now, the Google Assistant only recognizes "OK Google" and "Hey Google," but consumers may soon be able to customize their devices' wake words, which could reduce false positives.

Google Home has a microphone mute button on the back of the device, while both Google Home Mini and Google Home Max have an on/off toggle switch that turns orange when the microphone has been disabled. Remember that once you mute your speaker, it won't respond to any voice commands until you re-enable the mike.

Another option to guarantee that your device isn't listening is to turn it off completely. To do this on any Google Home, simply unplug the power cord — there is no power button. Experts recommend either muting or turning off the device when you don't need its assistance or know you'll be having a private conversation.

"Don't murder anyone, and if you're doing something considered 'intimate,' unplug it," said Steve Shillingford, a security expert and founder of Anonyome Labs.

Before you set up your digital assistant and connect it with personal accounts or other hackable devices, do your research about potential security vulnerabilities and decide if any known risks are worth taking.

"Be as aware as you can be," Wilbur said. "Everyone has a different tolerance around what is acceptable and not acceptable. Search around to say, 'Is this device known to have a problem?', and you will quickly find out if any concerns have surfaced."

For more Google Assistant-related tips, tricks, and how-tos, check out our complete guide to Google Assistant.

Credit: Tom's Guide

Emily Long

Emily Long is a Utah-based freelance writer who covers consumer technology, privacy and personal finance for Tom's Guide. She has been reporting and writing for nearly 10 years, and her work has appeared in Wirecutter, Lifehacker, NBC BETTER and CN Traveler, among others. When she's not working, you can find her trail running, teaching and practicing yoga, or studying for grad school — all fueled by coffee, obviously.