Is Eavesdropping Possible through Smart Speakers?

The global smart speaker market grew by 58% in 2020, accounting for 154 million units, according to Omdia analysts. The global install base for smart speakers reached 339 million devices in 2020, up from 138 million units in 2019. However, Daniil Chernov, CTO at DerSecur LTD., believes that the rate of development is outpacing the security evolution of smart devices. 

Smart speakers are mostly used to control other smart devices with voice commands and create tasks for a voice assistant, which requires a constantly listening microphone that is capable of background speech recognition and is connected to the Internet. Text converted from audio is sent via a Wi-Fi network to a cloud server of the smart device vendor, thus allowing smart speakers to handle a user's request at any time. 

However, smart speaker security now depends on whether the Wi-Fi connection, vendor cloud server, and device firmware and access are protected well enough. 

You can secure a Wi-Fi connection by enabling WPA2 network encryption in the Wi-Fi security settings. If there are IoT devices in your house that can be controlled by a smart speaker, make sure they are not autonomous access points, but all connected to the router. To do so, enable Network Address Translation (NAT), which will create an additional barrier for attackers. Hacking IoT devices will then require attacking a Wi-Fi router first. Furthermore, don't forget to update your Wi-Fi router firmware for patches that might provide important security improvements. 

Wi-Fi connection security can be enhanced by a user, unlike the security of the developer's server and smart device firmware. The only option is to update the speaker firmware on time, so that detected vulnerabilities are promptly eliminated. 

A smart device equipped with voice control can be exposed to eavesdropping attacks, as hackers may gain control over it and record whatever is going on around the speaker. Such recordings could be used to blackmail or compromise the user in a number of different ways. When a device is compromised, the attacker can also access command history and gain control over connected IoT devices. 

Moreover, some smart speakers collect information about user preferences to provide better targeted ads and content recommendations. You can turn ads personalization off via the device settings. While this doesn’t fully remove ads and recommendations, users will no longer be targeted based on their behavior. 

Finally, given the many potential vulnerabilities of smart speaker security, in addition to the above measures it is also recommended that you disable the microphone when the smart device is not in use.