Threats to Voice-Based IoT and IIoT Devices

voice-based-threatsAccording to one estimate, 33 million “voice-first” devices would have already been shipped by the end of last year. Given the staggering number of voice-based internet-of-things (IoT) devices that are apparently in use around the world, it’s worth noting that security for these devices should become a top priority. This acquires greater urgency in light of the realization that as it continues to expand with more and more devices, IoT is expected to become increasingly fragmented and consequently become riddled not only with compatibility issues but also with security concerns.

Voice-based devices such Amazon Echo and Google Home are human interface devices that constitute new ways of interacting with computers, says David Sancho, senior threat researcher at Trend Micro. With these devices, humans can simply give verbal instructions to voice assistants.

These voice assistants are especially helpful in environments where the user doesn’t have access to or prefers not to use a traditional input method such as a keyboard or a mouse. Common examples include kitchens and bathrooms. But industrial settings such as automated factories and medical operating rooms are also ideal for voice-controlled devices, contributing to their effectively becoming industrial internet-of-things (IIoT) environments.

Sancho cites three kinds of threats that can become disruptive to voice-enabled environments: privacy concerns, command spoofing, and denial of service.

According to Sancho, there are voice and sound technologies that make these attack scenarios even more dangerous. Some of the possibilities include:

Directional speakers
Directional speaker technology allows an attacker to send a command directly to the device so that other observers nearby would not be able to detect it. Usually, this is an exotic technology that doesn’t have a lot of uses, but the fact that it exists and it’s not too expensive could make for a useful weapon for the attacker.

High- and low-frequency commands
Recording commands in the inaudible frequency range could allow an attacker to make the voice assistant do something without anyone being able to hear it. Some devices may be able to discern the message while people nearby would only hear something apparently inoffensive, similar to background music.

Tagging arbitrary data into sounds
This can trip up devices or make it relay data to the cloud that can be used as an exfiltration point. More research needs to be done to explore the possibilities offered by the so-called “internet of sound,” but there are a few options for attackers in this area.   

Protecting voice-based devices against threats

As the voice-based assistant field is new, there are plenty of exciting possibilities for users, especially those who work in industrial environments. However, as with any new technology, the potential for attacks becomes apparent. And as with other types of IoT and IIoT devices, best practices such as the following should be followed to prevent and mitigate attacks: 

  • Enable all security features on all smart devices.
  • Always update the device firmware.
  • Change default passwords into secure ones.
  • Close any unused ports on devices and routers.
  • Use encryption for all networks and devices.

Voice-based IoT and IIoT devices can be a game changer in making daily tasks easier not just in homes but in industrial settings as well. But although the technology that enables these devices is still fairly new, the possibility of attacks and compromise is already very real for them. As with all new things, Sancho notes, exploring what the attack surface is and mitigating potential attacks are of great importance.


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.

Posted in Internet of Things