First, let me say I love my Amazon Echo, and have totally embraced my Connected Home with the ISY-994i! This isn’t a post about some random security hole with integrating it into your home automation system, but a word of caution to consider if you do so. Even if you don’t have a connected smart-home, there are very real security and financial implications you should consider when placing the Echo in your home, especially given its growing power and capability.
When you set up Connected Home devices, you get a warning/disclaimer from Amazon:
When you connect devices and services to Alexa, anyone speaking to Alexa can operate those products. This includes products such as garage doors, locks, and appliances.
That got me to thinking: while the ISY integration doesn’t (currently) allow you to ask “Alexa, unlock the front door”, it does allow you to run programs like this one:
What that means is that you can map a device called “Open Door” to the program, allowing you to unlock the door with “Alexa, turn on Open Door” and lock it with “Alexa, turn off Open Door”. Neat, huh?
The problem is that Alexa is a bit “too good” at what it does – always listening REALLY WELL for commands. Even… Through… Closed… Doors. And therein lies the problem: depending on the position of the Echo in your home, someone could just walk up from the outside and ask the door to unlock through a door or window!
Obviously this was a proof of concept and I don’t actually have this program enabled, but hopefully it illustrates the potential security issues you need to consider when setting up devices like this. Or even, say, thermostats. You probably don’t think of it as a home security issue, but in theory someone could turn off your heat in the winter or ramp it up to max in the summer (for two very different results!). And it’s not just home automation devices – the library of Alexa Skills is rapidly growing and they have very real financial implications; you wouldn’t want someone using this trick to, say, hail an Uber on your account, or order a pizza.
In fact, one of Amazon’s recommendations is basically to unplug your Echo when you leave home:
Take steps to ensure the security of your Alexa supported device and safe operation of your connected products. For example, if you do not want Alexa to respond to voice commands (like when you are away from home), turn off microphones on your Alexa supported device.
I’d go a bit further and say “don’t integrate any physical devices like garage doors or locks into your Amazon Echo Connected Home”. If you do – or even if you don’t – be wary about anyone being able to talk to Alexa through windows and doors, especially when you’re not home.
So what can you or Amazon do to protect against this issue? Read on…
Move your Echo. Obviously the first line of defense would be to avoid placing your Echo close to a door or window, but sometimes that’s not always practical.
Automatically turn off Alexa when you’re not home. If you have an Insteon system, you could always set up an On/Off Module or OutletLinc and leverage MobiLinc’s geo-fence feature to turn off Alexa automatically when you’re away from home.
Amazon could build a geo-fence feature into the Alexa app. Probably the best simple solution to this problem would be for Amazon to bake geo-fencing directly into the Alexa App, and automatically disable Alexa when all members of a household are not home. This would mean that whenever you (or more specifically, your phone) is not home – as well as anyone else in your household – Alexa wouldn’t respond to requests.
Amazon could incorporate speaker recognition into the Alexa service. An idea but more difficult fix would be to incorporate voice-printing, aka Speaker Recognition into the Alexa service. Speaker recognition (identifying WHO is speaking) would allow Alexa to only respond to voices from household members, but presumably that technology is quite a ways off given that voice recognition (identifying WHAT is being spoken) itself is still not a perfected art.