Home Digital Voice Assistants (HDVAs) are getting popular in recent years. One can control smart devices and get assistance like turning on lights, fans etc. through HDVAs such as Amazon Alexa, Google Home, Apple Siri, Cortana etc. using voice. These assistants sit in the corner of a room and are able to hear your voice from across the room. While this may seem harmless, it poses serious security threats.
The aim of this advisory is to create awareness about these HDVAs and provide guidelines to help safeguard personnel.
Following are the guidelines for effective and safe use of HDAVAs:
A HDVA must only be connected to a trusted network and never on a public network or hotspots. The trusted network (usually home Wi-Fi) should be well protected.
Complicated passwords must be used and Two/ Multi factor authentication must be enabled for protecting all accounts associated with the HDVAs.
One should be careful about which accounts they connect. If there is no requirement for calendar reminders, official addresses etc, one should not use the business account for authorization. Unused features like these should be turned off.
HDVAs can get triggered by commands from other sources. Hence, in order to prevent it/ reduce its probability, a manufacture issued voice recognition feature must be used if the option is there/ available. Voice recognition is not completely fool proof but it's usage is advised.
Unintentional triggering does happened sometimes in HDVAs. Hence, these should either be muted or turned off when not in use to prevent accidental commands pick up.
Voice purchased option, which is enabled by default in Amazon Alexa, should be turned off immediately to prevent unwanted purchases.
Voice assistant’s respond to ultrasonic sounds which is inaudible to the human ear. Hence, it is advised to never connect voice assistants to critical IoT devices like door locks to prevent an attacker from exploiting this feature (Dolphin attack).
Keep updating your HDVAs to the latest firmware available. Older versions of Amazon Echo devices allowed anyone to replace the firmware and add their own code to the device, thereby truing them into a listening device.
Avoid connecting security functions such as door locks to the HDVAs. Also, these devices should not be used to remember passwords or credit care data.
Personnel be sensitized to not use their voice assistants for critical works and follow the guidelines.