Smart Home Personal Assistants: A Security and Privacy Review

Smart Home Personal Assistants (SPA) are an emerging innovation that is changing the way in which home users interact with the technology. However, there are a number of elements that expose these systems to various risks: i) the open nature of the voice channel they use, ii) the complexity of their architecture, iii) the AI features they rely on, and iv) their use of a wide-range of underlying technologies. This paper presents an in-depth review of the security and privacy issues in SPA, categorizing the most important attack vectors and their countermeasures. Based on this, we discuss open research challenges that can help steer the community to tackle and address current security and privacy issues in SPA. One of our key findings is that even though the attack surface of SPA is conspicuously broad and there has been a significant amount of recent research efforts in this area, research has so far focused on a small part of the attack surface, particularly on issues related to the interaction between the user and the SPA devices. We also point out that further research is needed to tackle issues related to authorization, speech recognition or profiling, to name a few. To the best of our knowledge, this is the first article to conduct such a comprehensive review and characterization of the security and privacy issues and countermeasures of SPA.Comment: Accepted for publication in ACM Computing Survey

Protecting Voice Controlled Systems Using Sound Source Identification Based on Acoustic Cues

Over the last few years, a rapidly increasing number of Internet-of-Things (IoT) systems that adopt voice as the primary user input have emerged. These systems have been shown to be vulnerable to various types of voice spoofing attacks. Existing defense techniques can usually only protect from a specific type of attack or require an additional authentication step that involves another device. Such defense strategies are either not strong enough or lower the usability of the system. Based on the fact that legitimate voice commands should only come from humans rather than a playback device, we propose a novel defense strategy that is able to detect the sound source of a voice command based on its acoustic features. The proposed defense strategy does not require any information other than the voice command itself and can protect a system from multiple types of spoofing attacks. Our proof-of-concept experiments verify the feasibility and effectiveness of this defense strategy.Comment: Proceedings of the 27th International Conference on Computer Communications and Networks (ICCCN), Hangzhou, China, July-August 2018. arXiv admin note: text overlap with arXiv:1803.0915

A survey on security analysis of Amazon echo devices

Since its launch in 2014, Amazon Echo family of devices has seen a considerable increase in adaptation in consumer homes and offices. With a market worth millions of dollars, Echo is used for diverse tasks such as accessing online information, making phone calls, purchasing items, and controlling the smart home. Echo offers user-friendly voice interaction to automate everyday tasks making it a massive success. Though many people view Amazon Echo as a helpful assistant at home or office, few know its underlying security and privacy implications. In this paper, we present the findings of our research on Amazon Echo’s security and privacy concerns. The findings are divided into different categories by vulnerability or attacks. The proposed mitigation(s) to the vulnerabilities are also presented in the paper. We conclude that though numerous privacy concerns and security vulnerabilities associated with the device are mitigated, many vulnerabilities still need to be addressed

Smart home personal assistants : a security and privacy review

Smart Home Personal Assistants (SPA) are an emerging innovation that is changing the means by which home users interact with technology. However, several elements expose these systems to various risks: i) the open nature of the voice channel they use, ii) the complexity of their architecture, iii) the AI features they rely on, and iv) their use of a wide range of underlying technologies. This paper presents an in-depth review of SPA’s security and privacy issues, categorizing the most important attack vectors and their countermeasures. Based on this, we discuss open research challenges that can help steer the community to tackle and address current security and privacy issues in SPA. One of our key findings is that even though the attack surface of SPA is conspicuously broad and there has been a significant amount of recent research efforts in this area, research has so far focused on a small part of the attack surface, particularly on issues related to the interaction between the user and the SPA devices. To the best of our knowledge, this is the first article to conduct such a comprehensive review and characterization of the security and privacy issues and countermeasures of SPA

Privacy-preserving and Privacy-attacking Approaches for Speech and Audio -- A Survey

In contemporary society, voice-controlled devices, such as smartphones and home assistants, have become pervasive due to their advanced capabilities and functionality. The always-on nature of their microphones offers users the convenience of readily accessing these devices. However, recent research and events have revealed that such voice-controlled devices are prone to various forms of malicious attacks, hence making it a growing concern for both users and researchers to safeguard against such attacks. Despite the numerous studies that have investigated adversarial attacks and privacy preservation for images, a conclusive study of this nature has not been conducted for the audio domain. Therefore, this paper aims to examine existing approaches for privacy-preserving and privacy-attacking strategies for audio and speech. To achieve this goal, we classify the attack and defense scenarios into several categories and provide detailed analysis of each approach. We also interpret the dissimilarities between the various approaches, highlight their contributions, and examine their limitations. Our investigation reveals that voice-controlled devices based on neural networks are inherently susceptible to specific types of attacks. Although it is possible to enhance the robustness of such models to certain forms of attack, more sophisticated approaches are required to comprehensively safeguard user privacy

A Survey on Privacy and Security of Internet of Things

The file attached to this record is the author's final peer reviewed version. The Publisher's final version can be found by following the DOI link.Internet of Things (IoT) has fundamentally changed the way information technology and communication environments work, with significant advantages derived from wireless sensors and nanotechnology, among others. While IoT is still a growing and expanding platform, the current research in privacy and security shows there is little integration and unification of security and privacy that may affect user adoption of the technology because of fear of personal data exposure. The surveys conducted so far focus on vulnerabilities based on information exchange technologies applicable to the Internet. None of the surveys has brought out the integrated privacy and security perspective centred on the user. The aim of this paper is to provide the reader with a comprehensive discussion on the current state of the art of IoT, with particular focus on what have been done in the areas of privacy and security threats, attack surface, vulnerabilities and countermeasures and to propose a threat taxonomy. IoT user requirements and challenges were identified and discussed to highlight the baseline security and privacy needs and concerns of the user. The paper also proposed threat taxonomy to address the security requirements in broader perspective. This survey of IoT Privacy and Security has been undertaken through a systematic literature review using online databases and other resources to search for all articles that meet certain criteria, entering information about each study into a personal database, and then drawing up tables summarizing the current state of literature. As a result, the paper distills the latest development

Internet-of-Things (IoT) Security Threats: Attacks on Communication Interface

Internet of Things (IoT) devices collect and process information from remote places and have significantly increased the productivity of distributed systems or individuals. Due to the limited budget on power consumption, IoT devices typically do not include security features such as advanced data encryption and device authentication. In general, the hardware components deployed in IoT devices are not from high end markets. As a result, the integrity and security assurance of most IoT devices are questionable. For example, adversary can implement a Hardware Trojan (HT) in the fabrication process for the IoT hardware devices to cause information leak or malfunctions. In this work, we investigate the security threats on IoT with a special emphasis on the attacks that aim for compromising the communication interface between IoT devices and their main processing host. First, we analyze the security threats on low-energy smart light bulbs, and then we exploit the limitation of Bluetooth protocols to monitor the unencrypted data packet from the air-gapped network. Second, we examine the security vulnerabilities of single-wire serial communication protocol used in data exchange between a sensor and a microcontroller. Third, we implement a Man-in-the-Middle (MITM) attack on a master-slave communication protocol adopted in Inter-integrated Circuit (I2C) interface. Our MITM attack is executed by an analog hardware Trojan, which crosses the boundary between digital and analog worlds. Furthermore, an obfuscated Trojan detection method(ADobf) is proposed to monitor the abnormal behaviors induced by analog Trojans on the I2C interface