Amazon’s Echo Dot 3rd Gen is currently going for $10AUD (usually $59AUD) for new Amazon Prime Members. With so many Australians under lock down and shopping more, I’m sure the prospect of introducing Alexa to our homes is attractive as ever.
And look – I get it. As someone who’s used virtual assistants in the past (both Google Assistant and Siri), I understand the convenience of voice commands. Our smartphones were the gateway to virtual assistants – and now smart speakers are being sold more than ever before, with global smart speakers sales are expected to surpass USD$30 billion in 2024 (Global Market Insights). In 2022, 55% of all households will have a smart speaker (OC&C Strategy Consultants).
But there’s reasons why I no longer use Google Assistant, and why I believe you should think twice about befriending Alexa.
Introducing: Alexa
Amazon unveiled their virtual assistant Alexa back in 2014 with the Echo. The Echo was the first mainstream home assistant speaker device (the Google Home wouldn’t be unveiled until late 2016). Since then Amazon has held a lead on Google, and currently owns around 70% of the smart speaker market.
At the time, Alexa launched with around 100 ‘skills’ (commands). Starting from 2016, the number of new Alexa skills began to grow exponentially:
The two main reasons Amazon has remained dominant in the Smart Speaker market are:
- Affordability (it’s hard to compete with $10AUD for a smart speaker)
- The vastly superior versatility of Alexa’s skillset (over 100,000)
Outside of information-fetching commands like the weather or news, Alexa plays the role of central command in many smart home ecosystems. This can include smart TVs, sound systems, home security systems, room lights, smart locks, smart fridges, smart coffee makers, smart robot vacuums, shower heads, water usage sensors, electric door strikes, automatic beer brewers – the list goes on, and on, and on.
Alexa’s Custom 3rd Party Skills
The main reason why Alexa’s repertoire can grow at such a rate is due to most of them being “custom skills” developed by third parties.
This was made possible with the introduction of Amazon’s Skill Blueprints, which allows people to create custom commands without any coding knowledge at all.
There are requirements that these skills must adhere to when they’re developed: invocation names, intents, cloud-based services and proper configuration. However, industry experts have raised concerns about Amazon’s vetting process somewhat slacking. There are two main security issues of the vetting process.
Amazon’s Subpar Vetting Process
Firstly, loopholes have been revealed that allow developers to use the same phrase as popular brand names (for instance Ring and Samsung), which allows for the potential to duplicate invocation phrases.
The fear is that this may lead to increased phishing attacks, because each time a skill is downloaded by a user their email address is made accessible to the third party which developed the skill.
The second issue comes from the fact that once a skill has been approved by the vetting process, developers are free can make changes to the code of their app without them being vetted again.
This could be problematic if a developer mistakenly make code alterations (or worst case scenario, deliberately) that open their application to malware and other forms of cyber threats, or make code changes to collect additional personal data from users without their knowledge or consent.
Voice Squatting
The freedom for third parties to develop their own skills has also led to “voice squatting”, a practice that creates fake skills. Researchers at Indiana University were able to register skills that sounded like other, commonly used skills “using accents and mispronunciations to illicit unwitting installations.”
“This is problematic because, if you think you are activating one skill, but are actually activating another, this creates the risk that you will share information with a developer that you did not intend to share information with,”
Matt Shipman, ‘Study reveals extent of privacy vulnerabilities with Amazon’s Alexa’, North Carolina State University (2021)
Hackers were able to turn the Echo into a listening device. This exploit was eventually closed by Amazon – but knowing hackers, it may only be a question of when again?
Amazon Alexa Privacy Policy
It’s safe to say that the majority of Amazon’s customer base isn’t particularly concerned with how Amazon treats their data. The issue with third party skills is that your data may not only go to Amazon – it goes to the third party developers.
“Amazon’s Alexa privacy policy does not require third part skill developers to disclose how data is being collected and used.” Privacy policies are only required if the skill requires account linking or collects user data.
A University of California study revealed that some links provided by third parties to their privacy policy resulted in 404 or 500 HTTP errors, timeout errors and access denied errors. Some developers just put a link to their website instead of a privacy policy.
“But the researchers found that 23.3% of 1,146 skills that requested access to privacy-sensitive data either didn’t have privacy policies or their privacy policies were misleading or incomplete.”
Matt Shipman, ‘Study reveals extent of privacy vulnerabilities with Amazon’s Alexa’, North Carolina State University (2021)
Even more problematic is that there’s no form of identity validation process in place for third-party skill developers. Without a formal validation process for developer identity, this creates a greater opportunity for malpractice or malicious activity.
This means developers could claim to be anyone, allowing them to register under the name of a more reputable or trustworthy organisation. This may trick users into believing that the skill was published by a trustworthy organisation, setting them up to be victim to various phishing attacks.
GDPR Privacy Law: Amazon’s $887 Million Fine
Outside of Amazon’s various high-profile data breaches over the years, the company itself has a reputation for less-than-transparent practices and policies concerning user data.
Late July, Amazon was hit with a USD$887 million fine by the LNCDP (Luxembourg National Commission for Data Protection) for breaching data protection laws set by the EU’s General Data Protection Regulation (GDPR).
Amazon will appeal the fine, having stated publicly that they believe the decision lacks merit. Details are scarce as GDPR investigations are typically tight-lipped until an appeal process has been completed, but what we do know is that it’s related to how Amazon displays advertisements to its customers.
Amazon Sidewalk
Amazon Sidewalk was launched back in June, a new feature that allows Amazon to create shared smart networks. Certain devices (Echo smart speakers and Ring gadgets) become “bridges” to connect other Sidewalk-enabled devices using either Bluetooth or LoRa signals.
One way to think of it is as a mesh network: in houses where many walls interfere with the strength of a router’s wifi signal, satellite modules are placed around the household to strengthen the signal to ensure larger coverage.
In the case of Amazon Sidewalk, the smart network isn’t only for your house – it’s used to “support [your] community”. If your neighbour’s backyard security camera has a weak signal from their wifi but is within range of your network, it will borrow some of your bandwidth to strengthen its connection. These transmissions are capped to 80Kbps each, and month usage is capped at 500MB a month.
While it is possible to disable Amazon Sidewalk, all users were opted-in automatically upon launch. Bridges will continue to work for devices on your network, but you won’t receive the extended coverage benefits of Sidewalk’s shared network pool. Currently Sidewalk is only available in the US, with no word on when it will be launched in Australia (likely only a matter of time).
There’s no additional cost to use Amazon Sidewalk, and it may definitely prove beneficial in some cases – like if your home’s internet goes down, or locating a lost item or pet (tagged with a Tile) because Sidewalk coverage can be extended up to around 800 metres.
Amazon went as far as to publish a white paper on Sidewalk’s privacy and security, no doubt anticipating the public’s skepticism and apprehension. “Data shared over the Sidewalk network is protected with three layers of encryption, only accessible by the devices you choose, and automatically deleted every 24 hours to protect your privacy.”
While these details are comforting to hear, the truth is that Sidewalk still falls under IoT (Internet of Things). For a majority of IoT devices, security remains an afterthought and not a core consideration in software design.
While Sidewalk does seem to doing some things right in terms of encryption, the first year of release will be critical in revealing vulnerabilities and an opportunity to see how well Amazon adapts in its security implementation.
Tech Neck Nick 