Stay Smarter Than Your Smart Speaker

Smart speakers have always posed a risk to privacy and security — that’s just the price we pay for getting instant answers to life’s urgent and not-so-urgent questions the moment they arise. But it seems that many owners of the 76 million or so smart speakers on the active install list have yet to wake up to the reality that this particular trick of technology requires a microphone that’s always listening. Always. Listening.

With so much of the world’s workforce now working from home due to the global SARS-CoV-2 pandemic, smart speakers have suddenly become a big risk for business, too — especially those where confidential conversations are as common and crucial as coffee.

Imagine the legions of lawyers out there, suddenly thrust from behind their solid-wood doors and forced to set up ramshackle sub rosa sanctuaries in their homes to discuss private matters with their equally out-of-sorts clients. How many of them don’t realize that their smart speaker bristles with invisible thorns, and is even vulnerable to threats outside the house? Given the recent study showing that smart speakers can and do activate accidentally up to 19 times per day, the prevalence of the consumer-constructed surveillance state looms like a huge crisis of confidentiality.

So what are the best practices of confidential work in earshot of these audio-triggered gadgets?

Continue reading “Stay Smarter Than Your Smart Speaker”

Smart Speakers “Accidentally” Listen Up To 19 Times A Day

In the spring of 2018, a couple in Portland, OR reported to a local news station that their Amazon Echo had recorded a conversation without their knowledge, and then sent that recording to someone in their contacts list. As it turned out, the commands Alexa followed came were issued by television dialogue. The whole thing took a sitcom-sized string of coincidences to happen, but it happened. Good thing the conversation was only about hardwood floors.

But of course these smart speakers are listening all the time, at least locally. How else are they going to know that someone uttered one of their wake words, or something close enough? It would sure help a lot if we could change the wake word to something like ‘rutabaga’ or ‘supercalifragilistic’, but they probably have ASICs that are made to listen for a few specific words. On the Echo for example, your only choices are “Alexa”, “Amazon”, “Echo”, or “Computer”.

So how often are smart speakers listening when they shouldn’t? A team of researchers at Boston’s Northeastern University are conducting an ongoing study to determine just how bad the problem really is. They’ve set up an experiment to generate unexpected activation triggers and study them inside and out.

Continue reading “Smart Speakers “Accidentally” Listen Up To 19 Times A Day”

Almond: Open Personal Assistant From Stanford

The current state of virtual personal assistants — Alexa, Cortana, Google, and Siri — leaves something to be desired. The speech recognition is mostly pretty good. However, customization options are very limited. Beyond that, many people are worried about the privacy of their data when using one of these assistants. Stanford Open Virtual Assistant Lab has rolled out Almond, which is open and is reported to have better privacy features.

Like most other virtual assistants, Almond has skills that determine what it can do. You can use Almond in a browser, on a Google phone, or as a command line application. It all lives on GitHub, so if you don’t like something you are free to fix it.

Continue reading “Almond: Open Personal Assistant From Stanford”

This Week In Security: KNOB, Old Scams Are New Again, 0-days, Backdoors, And More

Bluetooth is a great protocol. You can listen to music, transfer files, get on the internet, and more. A side effect of those many uses is that the specification is complicated and intended to cover many use cases. A team of researchers took a look at the Bluetooth specification, and discovered a problem they call the KNOB attack, Key Negotiation Of Bluetooth.

This is actually one of the simpler vulnerabilities to understand. Randomly generated keys are only as good as the entropy that goes into the key generation. The Bluetooth specification allows negotiating how many bytes of entropy is used in generating the shared session key. By necessity, this negotiation happens before the communication is encrypted. The real weakness here is that the specification lists a minimum entropy of 1 byte. This means 256 possible initial states, far within the realm of brute-forcing in real time.

The attack, then, is to essentially man-in-the-middle the beginning of a Bluetooth connection, and force that entropy length to a single byte. That’s essentially it. From there, a bit of brute forcing results in the Bluetooth session key, giving the attacker complete access to the encrypted stream.

One last note, this isn’t an implementation vulnerability, it’s a specification vulnerability. If your device properly implements the Bluetooth protocol, it’s vulnerable.

CenturyLink Unlinked

You may not be familiar with CenturyLink, but it maintains one of the backbone fiber networks serving telephone and internet connectivity. On December 2018, CenturyLink had a large outage affecting its fiber network, most notable disrupting 911 services for many across the United States for 37 hours. The incident report was released on Monday, and it’s… interesting.
Continue reading “This Week In Security: KNOB, Old Scams Are New Again, 0-days, Backdoors, And More”

R3-14, The Personal Assistant Two Years In The Making

One of the great things about hacking together projects these days is how many powerful subsystems are readily available to reuse. [Sanjeet] took full advantage of a whole slate of reusable pieces when he built R3-14 — a personal assistant robot that you can see in action in the video below.

Many people started out in electronics building something simple like a crystal radio or an LED cube. But how far could you get if your projects had to begin at the most basic level, by drawing out copper wire, fabricating coils, capacitors, semiconductor devices, and batteries? Even if you know how to do all those things, it would take a lot of time, so there is no shame in using off-the-shelf components. By the same token, [Sanjeet] uses Google Assistant, 433 MHz RF transmitters, and a Raspberry Pi as components in this build. Along the way, he also contributed some reusable pieces himself, including an LED library for the PI and a library to allow Siri to control a Raspberry Pi.

Continue reading “R3-14, The Personal Assistant Two Years In The Making”

New Part Day: Put An Alexa In Everything

The last great hope for electronics manufactures is smart home assistants. The Alexas and Siris and OK Googles are taking over homes across the country. At its best, it’s HAL 9000, only slightly less homicidal. It will entertain your children, and you can order cat litter just by saying you want cat litter. This is the future, whether we like it or not.

In an attempt to capture the market, Amazon has released the Alexa Connect Kit. This is an Amazon-Echo-On-a-Chip — a piece of hardware that adds Alexa to microwaves, blenders, and whatever other bit of home electronics you can imagine.

The Alexa Connect Kit is the hardware behind Amazon’s efforts to allow developers easy integration with Alexa. The options for adding Alexa to a product up until now have been using Zigbee to connect an Echo Show or Echo Plus, or simply giving a device the ability to connect to an Echo through Bluetooth. The Alexa Connect Kit, however, is a pure hardware solution that puts Alexa in anything.

Unfortunately you can’t get one yet. Right now, the Alexa Connect Kit is just a preview, and if you want to get your hands on one — or get any specs on this bit of hardware — you’ll need to apply to the developer program. We’ve signed up and will share and juicy details that come our way as part of the program.

According to the Wall Street Journal (try Google referral link if you hit the pay wall), several companies are already working on integrating the Alexa Connect Kit into their existing product lines. Hamilton Beach and Procter & Gamble are both working on something, although the press doesn’t say what kind of device will now be loaded up with a voice assistant. Amazon, however, has a microwave using the technology that the owner can, “command the microwave to do things like defrost a half-pound of chicken, or set it up to automatically reorder a favorite type of popcorn on Amazon”.

Despite the sparse details, this is relatively game-changing when it comes to the world of homebrew electronics. We’ve seen dozens of projects using hacked Raspberry Pis and other microcontrollers to at Alexa to hacked coffee machines, to shoot Nerf darts, and to control a projector. If you can actually get one of these Alexas-on-a-chip, all those projects could be done with one simple piece of hardware.

Friday Hack Chat: Hacking Voice Assistants

The future of consumer electronics is electronic voice assistants, at least that’s what the manufacturers are telling us. Everything from Alexas to Google Homes to Siris are invading our lives, and if predictions hold, your next new car might just have a voice assistant in it. It’s just a good thing we have enough samples of Majel Barrett’s voice for a quality virtual assistant.

For this week’s Hack Chat, we’re going to be talking all about voice interfaces. There are hundreds of Alexa and Google Home hacks around, but this is just the tip of the iceberg. What else can we do with these neat pieces of computer hardware, and how do we get it to do that?

Our guest for this week’s Hack Chat will be Nadine Lessio, a designer and technologist out of Toronto with a background in visual design and DIY peripherals. Nadine holds an MDes from OCADU where she spent her time investigating the Internet of Things through personal assistants. Currently, she’s working at OCADUs Adaptive Context Environments Lab where she’s researching how humans and devices work together.

During this Hack Chat, Nadine will be talking about voice assistants and answering questions like:

  • What languages can be used to program voice assistants
  • How do you use voice and hardware together?
  • What goes into the UX of a voice assistant?
  • How do these assistants interface with microcontrollers, Pis, and other electronics platforms?

You are, of course, encouraged to add your own questions to the discussion. You can do that by leaving a comment on the Hack Chat Event Page and we’ll put that in the queue for the Hack Chat discussion.join-hack-chat

Our Hack Chats are live community events on the Hackaday.io Hack Chat group messaging. This week is just like any other, and we’ll be gathering ’round our video terminals at noon, Pacific, on Friday, July 13th.  Need a countdown timer? Yes you do.

Click that speech bubble to the right, and you’ll be taken directly to the Hack Chat group on Hackaday.io.

You don’t have to wait until Friday; join whenever you want and you can see what the community is talking about.