Is Alexa Listening to Your Confidential Work Conversations?

(or, How to Work from Home Securely)

With social-distancing firmly in place, many conversations that would have taken place in the conference room are now happening in kitchens, living rooms, and bedrooms across the world. If you are your employees are now telecommuting, security that was taken for granted is being questioned. In the home environment, it is important to consider some practical security measures to keep your team and your information safe.

There are practical and pragmatic steps you can take to ensure working from home is as safe as possible. The most common occurrences of ‘hacking’ private or confidential information come from out-of-date browsers, anti-virus programs, or operating systems. Keep yourself safe(r) at home by:

  • Enabling automatic antivirus signature updates
    • Probably already in place with off-the-shelf products
    • Antivirus is only as good as the latest signature update
  • Enabling all OS security updates
    • If Windows says you need an update, believe it.
  • Using a ‘separate network’ than your IoT devices
    • Put your doorbells and Wi-Fi-crockpots on the “Guest” network
  • Do not save company passwords in your personal browser
    • Chrome / IE / Safari are making your life easier here, but it is a security risk
    • If you’d rather not remember passwords, use a third-party password manager
  • Do not save company information on non-company assets
    • The data doesn’t belong to you, so don’t put it on devices that do!
  • Backup your hard drive at least weekly
    • Lots of companies make this easy; at least backup the information you’d rather not lose forever.

Bringing us back to the original question, is your digital personal assistant recording confidential information? These devices – Google Home, Amazon Alexa, etc. – do function by ‘always listening.’ This should not be construed as the device always recording what is said in the room.  The devices listen, constantly, for a wake-word (Alexa, Siri, Hey Google). When the device hears this word(s), it continues to cache the sound while the backend servers translate the audio to useful information, where a combination of machine learning and internet connection find the (sometimes) correct information.

There are often reports of people talking privately with friends and family, and then all-of-a-sudden, they are met with information online that matches what they were privately talking about.  This is very likely a psychological effect and not a result of your devices spying on you.  Please understand that Google, Amazon, Microsoft and the other multi-national technology companies have literally billions of dollars riding on the privacy of your data.  Accordingly, they take extraordinary measures to keep it safe including frequent security audits, vulnerability scanning, penetration testing, etc.

However, not all IoT devices are created equal, and some care should be taken when introducing new components in your home network.  Most importantly, follow vendor guidelines when setting up these devices, and make sure all your devices are protected by, a strong, unique password.

So, should you have an Amazon Echo or Google Home device in your home office?

I personally do not find major security concerns with this practice, but some government and high-security systems do, in fact, prohibit these devices.  An abundance of caution is recommended when you are dealing with private or confidential information, and always follow information security guidelines from your employer or clients.

Have any questions about the work-from-home setup for you or your employees? Reach out to our team!

Tyson Savoretti | CISA, CEH, SSCP, PCI-ISA, PenTest+, CySA+