The use of digital voice assistance can be extremely helpful as it can perform various tasks with only the use of your voice. Checking the weather, texting a friend, or turning the lights off in your house is now possible with only a few words without moving a finger. While the value of digital voice assistant technologies is undisputed, there are huge concerns about the threats and vulnerabilities that are associated to this rising technology. With nearly half of the American population using a voice assistant at least once a month, these threats and vulnerabilities deserve a closer look. In this discussion, I will go through the different threats presented in voice assistants and ways we can mitigate these risks.

One of the first threat described by the article, describes an actual scenario in 2019 where a family got their Nest security system hacked. Nest, which is owned by Google, provides wireless security features as well as other features such as thermostats, lights, and alarm systems. The family who got their system hacked, had someone talk through their home security cameras and controlled the temperature of their home. This is a serious security issue that needs to be addressed, and Google claimed that the issue was due to a weak password from the owner.

A mitigation strategy for this issue by Google is to require the implementation of two-factor authentication (2FA) for their system. While the owners did get hacked by a weak password, by forcing users to create a strong password with mandatory requirements, combined with 2FA, this will reduce the risk of someone being hacked by a weak password. This should give the peace of mind to the customer as Google is promising on their end to provide protection to their data centers. By implementing this technique, password vulnerabilities should be reduced.

Another issue with digital voice assistants, in the case of Alexa, was the threat of the system being woke up by words that were not intended to activate the device. With digital voice assistants, words such as “Hey Google” or “Alexa” can trigger the device to start recording and querying the requested command. However, there are many words that can sound like these “wake words”, which can result in unwanted commands that can pose a big security threat. In the case we read, there was an example of a six-year-old kid who ordered dollhouses and cookies to their house in 2016. Imagine if someone were to access bank credentials or other private information that can pose a risk to the user.

A mitigation strategy for the companies involved is to further develop security measures for situations like the ones described above. One measure I was thinking of by voice recognition. If there was a way to only be activated by your own voice, or some sort of voice signature, that can prevent people from your household from accidently or intentionally controlling the device. Requiring a pin number or some sort of second wall can be effective as well. Like for order items off Amazon or any action that requires monetary permissions should require a custom pin or sound that a user must make.

With the vulnerabilities and threats described above, there are also more sophisticated attacks that be done that have been conducted by various researchers around the world. One of these threats is the case of Dolphin Attacks. Discovered by a group of Chinese and American researchers, Dolphin attacks to voice controlled assistants are attacks that allow the attacker to gain control of an attack by playing a “ high-pitched command embedded in a piece of music” or sound. The commands used in a dolphin attack can allow the attacker to switch the device to airplane mode or other malicious actions that is intended by the attacker. It is called the dolphin attack because these sounds are undetectable to the human ear and in essence, can be conducted without the owner of the device to be aware of what is going on.

Another form of this sound attack is the manipulation of the audio being projected. Researchers were able to slightly change the audio file to perform commands without the owner knowing. There is also a thing called voice squatting, in which the attacker says words that sound normal but have different meanings. Words such at “Cat Fax” can command the voice assistant to print something or retrieve a Fax, when it sounds like “Cat Facts” to the owner of the device.

Sample Solution