I recently gave a tour of my home network. I walked around my home and showed all of the different electronic components of my home. This included the firewalls, routers, switches, cameras, and all of the devices that get interacted with. One thing that blew up in the comments over and over was comments to how secure my home was but that it was “all ruined by having an Amazon Alexa in my house”. This of course turned into a lot of debate asking “Is Alexa safe?”. With a little patience and education I think we can pretty definitively answer that question!
Watch the Video on Alexa Snooping
Is Alexa Safe or a Snooping Device?
Honestly, asking the question “Is Alexa safe or a snooping device?” is really the wrong question to ask in the first place. But more on that in a little bit.
First of all it is important to understand that Amazon designed the Echo (which is the device’s actual name) to listen constantly for a keyword. It doesn’t start recording or sending any data to any device until that keyword is spoken. That word can be “Alexa, Amazon, Echo, or Computer”. Once the keyword is spoken Alexa begins to listen and record your next few words. These words are pushed to some cloud servers and analyzed. Nothing outside of that interaction is ever sent to Amazon.
By opening the Alexa app on your phone, tablet, or PC you can see every single recording that Alexa has ever made and the exact content of that recording. It is true that Amazon keeps some portion of these recordings on their servers for an extended period of time. This is used to customize Alexa’s responses. For example if you ask Alexa to turn on a light she will remember that interaction. If your next command is simply “Turn it off.” without specifying a device Alexa will look at those previous interactions as a means of understanding what you want her to do.
If Amazon isn’t snooping, what about hackers?
In August of 2017 British security research firm MWR detailed how the Alexa could be compromised by hackers. It wasn’t easy. It required physical access to the device, complete disassembly, soldering devices to the board, and adding a new boot firmware. Something that clearly isn’t feasible for most hacks and definitely not by someone 10,000 miles away in a foreign country living in their mom’s basement. Amazon fixed the problem quickly and any device made after October 2017 is immune from even that attack. With that in mind you might consider buying new rather than buying a used Alexa on Craigslist of eBay that could have been modified.
I think its safe to say Amazon spent a lot of time worrying about security. An Alexa compromise could be devastating to their business. But with that in mind, its time to start asking the better questions!
You’re Asking the Wrong Questions
Asking “Is Alexa safe?” or “Is Alexa snooping on me?” is the wrong question. Let’s talk about why.
You Are Already Giving Far More Data to Amazon and Google without Alexa
We’ll come back to snooping a minute, for now let’s just focus on the data privacy aspect. So many of you are so upset that Amazon would collect any data on what you say to Alexa. Is Amazon using this data to sell more stuff to you? Of course they are! And they would be crazy not to. But we need to take a second and get real about this. Why are you worried about what Alexa collects? It’s creepy? It’s an invasion of privacy? Any number of other excuses?
It appears to me more and more that the ultimate issue with Alexa in people’s minds is that the data is being collected by a new mechanism that seems more personal than in the past: voice. The truth is however, you’re giving far more valuable data to Amazon, Google, Apple, and other big tech companies every day and none of them need a digital assistant to get it! Literally every single word you type on Google, Facebook, Instagram, or the like is analyzed and tied directly back to you via cookies and other more advanced tracking mechanisms. Why exactly is it that you are worried about Alexa, but you’re not making a big fuss about those? And those have been going on for almost two decades!
RELATED: Are Smart Locks Safe?
Even With Snooping You Are Looking in the Wong Place!
Back to the original worry about snooping. Asking “Is Alexa safe or is she snooping on me?” is the absolute wrong question to ask!
Society is really pretty terrible about taking the time to understand something. They let the media flash shiny things in front of them and they never go bother to see what the real facts are. This is a problem in many areas mostly in politics, but it also hits head on in privacy!
You’re worried about Alexa sitting on your counter top, because she’s in your house and plugged into your network. What about the smartphone in your pocket that’s connected directly to the internet and goes literally everywhere you go! It’s in your bedroom, in your car, it participates in every moment of your life right by your side. It is literally an internet connected microphone for your every move. Yet you’re not the least bit concerned about that!
Almost every device you have in your these days is connected to the Internet and contains a microphone. As I walked around my house I found them all over in things I hadn’t even considered before!
Potential Snooping Devices in my Home
My XBOX ONE has not only a microphone, but a camera on the front of it watching my every move and connecting it all to the internet.
The Marantz receiver has a microphone supposedly used for balancing the audio in the theater room, but alas its connected to the internet.
My Samsung Smart TV has a microphone and listens for voice commands and yep, it is also internet connected.
My iPad, my Microsoft Surface, and my Apple TV, all have microphones and internet connections.
The Camera I use for shooting The Geek Pub videos has 4 microphones and an internet connection.
My Gaming PC has multiple microphones and a camera all connected to the internet.
And guess what? It gets even worse. I have nine security cameras in the house all designed for my family’s protection. Each and every one of those cameras is internet connected and has a microphone.
Worrying about Amazon’s Alexa and asking “Is Alexa Safe?” from a privacy and security perspective is similar to worrying about a toddler peeing on the deck of the sinking Titanic and sending the ships crew to stop the little guy instead of focusing on the real source of water. The giant holes left by the icebergs!
Why is there isn’t a massive focus on all of these things? After all, most of them have similar services such as Siri, OK Google, Cortana and the like. Again, we’re asking the wrong questions. It’s not “Is Alexa safe?” It’s “are all of my potential listening devices safe?”. If you’re worried about Alexa and not all of those other microphones in your home, then your not being honest with yourself.
How to Protect Your Home From All These Potential Snooping Devices
Our focus for security and privacy needs to be completely rethought. Let’s start with making sure our networks and devices are free from malware. And let’s be honest, if you think you’re going to keep the NSA the war is already over. We can however keep the script kiddies and professional hackers at bay. At least most of them.
Start by Securing your Network
The first step needs to be to secure your network at the entry point with a proper firewall. Don’t count on the router that your ISP gave you for security. Not only is it likely the bottom of the barrel cheapest of the cheap it is also likely loaded with spyware from your ISP that can snoop on all of the devices in your home. Verizon is well known for this type of shenanigans with their devices.
Get a real firewall and keep it up to date. I personally prefer to run pfSense as my firewall. It’s fantastic and you can get some inexpensive appliances from Amazon to run it on. With pfSense you can run anti-malware protection at the firewall. This is a great strategy as it adds another layer of protection for your home by blocking malware before it ever has the opportunity to enter your home network and land on your PC or devices. Ubiquiti also makes some great security appliances and firewalls if you’d prefer an out of the box solution.
Secure Your PCs and Other Devices
Make sure that every device and PC in your home is running the built-in firewall. This alone can be some of the simplest and most effecting anti-malware. Many internet worms travel by looking for open ports on your PC that can be injected with malicious code. With a firewall that patch is completely blocked (in most cases).
For any device in your home running Windows it is imperative that you have an anti-malware software installed. There are plenty of good choices for this, including Microsoft’s own anti-malware services.
Do not install (or let anyone else install) any software on your PC unless you are 100% certain it is safe. Installing drivers from 3rd party sites is a huge red flag. Only download drivers from the actual manufacturer’s website. Never install anything you can’t verify is directly from the company that released it.
Don’t visit nefarious sites! The most common way I’ve seen people get malware and spyware on their computers is through visiting sites they shouldn’t be going to. Porn sites, get rich quick schemes, gambling sites, and pirate sites. Many of those sites are loaded with malware just waiting to infect your PC. These sites can’t run legitimate advertisements so they look for illegitimate means of monetizing them. Bad hangs out with bad. Stay away from those places if you don’t want spyware on your device or PC.
So before we ask “Is Alexa Safe?” let’s ask a lot more important question: “Is our home network safe from malware?”
After seeing article after article about new compromises, I realized I couldn’t really trust any of these devices, and I’ve segregated all my IoT devices onto their own vlans, and set strict rules on what they’re allowed to communicate with and what can communicate with them. It’d be easy enough to watch for streams destined for the internet and dump them. I was able to get around broadcasting issues with some quick scripting. I wanted to mention Sophos UTM as a good home solution as well; They don’t target the home market but you can install their firewall solution on your own hardware. Their policy-based routing, country-blocking, service grouping features make administrating nice and easy. I know country blocking isn’t the best way to go about things, but it’d be easy enough to switch to reputation based blocking. Root access is offered and additional functionality is easily integrated if you want to get under the hood as well
This is exactly what I did for my security camera network!
Thanks for the article backing me up! As an IT Pro, I get the same questioning from the peanut gallery. How can I allow an Amazon Dot in my house?
If you aren’t prepared to go completely off the grid and give up your cell phone (which is arguably impossible these days) then you might as well get some of the benefits while you’re getting data mined. I’ve been on the internet since it was monochrome text so it’s too late to turn back now.
The tinfoil hat types will never be satisfied. But remember, they also believe in chemtrails and other such nonsense.
Exactly! Google and Facebook has been collecting so much data for such a long time and nobody cared. But When Alexa and Windows 10 collect half the amount of that information, everyone loses their mind. I don’t get it!
This post have inspired me to redesign my whole setup while back. I’ve started by disabling Hey Siri on all of devices in the household. Then, I’ve uninstalled Facebook (and Messenger) apps and tweaked both uBlock and browser settings to threat them more aggressively. I’ve also switched from Google to DuckDuckgo. Next, I’ve put all of the devices which I don’t fully trust (including Windows workstations) in a separate VLAN that can’t communicate with my main machines. The last step was to place all the other semi-smart devices on a network without Internet connection. That includes mainly smart switches which I’m managing via POST requests.
Thank you for inspiring me!