Speaker Snitch Tattles On Privacy Leaks

A wise senator once noted that democracy dies with thunderous applause. Similarly, it’s also how privacy dies, as we invite more and more smart devices willingly into our homes that are built by companies that don’t tend to have our best interests in mind. If you’re not willing to toss all of these admittedly useful devices out of the house but still want to keep an eye on what they’re doing, though, [Nick Bild] has a handy project that lets you keep an eye on them when they try to access the network.

The device is built on a Raspberry Pi that acts as a middle man for these devices on his home network. Any traffic they attempt to send gets sent through the Pi which sniffs the traffic via a Python script and is able to detect when they are accessing their cloud services. From there, the Pi sends an alert to an IoT Arduino connected to an LED which illuminates during the time in which the smart devices are active.

The build is an interesting one because many smart devices are known to listen in to day-to-day conversation even without speaking the code phrase (i.e. “Hey Google” etc.) and this is a great way to have some peace-of-mind that a device is inactive at any particular moment. However, it’s not a foolproof way of guaranteeing privacy, as plenty of devices might be accessing other services, and still other devices have  even been known to ship with hidden hardware.

33 thoughts on “Speaker Snitch Tattles On Privacy Leaks

    1. I just don’t understand why people have these things in their home at all, much less. spend any money on them. But Ill admit, it’s getting more and more difficult to keep them out.

        1. That’s what our elbows are for :) . We have got along just fine raising families without the ‘convenience’ of voice activation for thousands of years now… Not a lifesaver ;) . Far from it.

      1. I do like the ‘idea’ of voice activation. No problem with that. But I want it to be completely processed ‘locally’ and confirmed (I ask, it responds, I confirm, it does) before transmission of any external internet type of request. Turning lights on/off etc. should never have to go to Google for analysis. If that can’t be done, then I don’t want the technology in my home. Of course it is a given, that it should never ‘phone home’ unless I initiate it.

      2. Because they’re *incredibly* convenient, sometimes to a life changing degree.

        I have Tile trackers, a Google smart alarm clock, and YoLink door sensors. I would greatly prefer if they were open source, because that’s more money than I’d like to spend on something that could stop working.

        But it’s not like I can’t just turn it off if I have some reason to need privacy. The only thing that could pick up anything meaningful is the smart speaker, and even then, the bedroom is probably the least likely place to pick up anything confidential.

        My location and presence data is of very little interest to anyone who doesn’t have some kind of stalking problem or vendetta. I don’t think I know any of those, and if I did, I doubt they’d coincidentally be one of the few employees with access.

        The only privacy issues that bother me are the legal ones.

        People should always have the right to be anonymous when they so choose, but IoT doesn’t impede that.

        There’s a bit of an issue with the fact *other* people’s devices can record you, but I think of that as more of a feature rather than a bug, because that can be an important self defense tool, and security cameras and the like are already widely accepted by most.

  1. >Pi sends an alert to an IoT Arduino connected to an LED which illuminates during the time in which the smart devices are active.

    RPi is quite capable to lightup a LED on its GPIO. One can use a cheap wireless transmitter/receiver modules if it is not near the RPi.

        1. The WS2812 (NeoPixel) has a minimum VIH of 0.7VDD, where 3.5V < VDD < 5.3V.

          The Pi's power rails are 5V and a 3.3V, and the Pi's GPIO/SPI interface is 3.3V, which means that the Pi's signaling voltage will be out of spec without additional hardware.

  2. If I were making a speech enabled iot device and I wanted to spy on people I would have it cache the recordings and send them at quiet times or when the activation word is spoken, whichever comes first. That way it would throw off anyone trying to see what it’s up to by monitoring network activity.

  3. This is a great start! But what would be even better is a RPI to act as an AP to these devices. or a man in the middle from the device to your router. This way ALL traffic could be monitored. Such that any traffic in or out without the wake word would flash the led or better yet put all traffic data on a lcd.

  4. > because many smart devices are known to listen in to day-to-day conversation even without speaking the code phrase (i.e. “Hey Google” etc.)

    Giant, blinking [CITATION NEEDED] here, thanks

      1. Sure, if your goal here is to phrase it such that misbehavior sounds like intentional behavior. It isn’t “listening to day-to-day conversations”, it’s listening for a wakeword and that activation step is sometimes not great. It’s poor wording at best, and while I can appreciate the goal here, it reeks of more “oh my god my PRIVACY” pearl-clutching while you still have and consume Google services regularly.

  5. Just ask the question…
    Hey google, are you snooping?

    Of course it is! All the time – it’s waiting for that all important Hey google. But as I understand, all conversations have to be sent to the cloud for analysis, including the hey google.

    And for proof, discuss something obscure like some item you’re never going to buy a few times, and then watch for the targeted ads showing up on your devices. Not snooping eh?

  6. Seems like a Pi with a mic could be used to listen for a specific keyword then grand the snooper access to the network for its requested task.
    What would be great is some way to add this short of on demand access to a firewall like pfSense.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.