First, let me say I love my Amazon Echo, and have totally embraced my Connected Home with the ISY-994i! This isn’t a post about some random security hole with integrating it into your home automation system, but a word of caution to consider if you do so. Even if you don’t have a connected smart-home, there are very real security and financial implications you should consider when placing the Echo in your home, especially given its growing power and capability.
When you set up Connected Home devices, you get a warning/disclaimer from Amazon:
When you connect devices and services to Alexa, anyone speaking to Alexa can operate those products. This includes products such as garage doors, locks, and appliances.
That got me to thinking: while the ISY integration doesn’t (currently) allow you to ask “Alexa, unlock the front door”, it does allow you to run programs like this one:
What that means is that you can map a device called “Open Door” to the program, allowing you to unlock the door with “Alexa, turn on Open Door” and lock it with “Alexa, turn off Open Door”. Neat, huh?
The problem is that Alexa is a bit “too good” at what it does – always listening REALLY WELL for commands. Even… Through… Closed… Doors. And therein lies the problem: depending on the position of the Echo in your home, someone could just walk up from the outside and ask the door to unlock through a door or window!
Obviously this was a proof of concept and I don’t actually have this program enabled, but hopefully it illustrates the potential security issues you need to consider when setting up devices like this. Or even, say, thermostats. You probably don’t think of it as a home security issue, but in theory someone could turn off your heat in the winter or ramp it up to max in the summer (for two very different results!). And it’s not just home automation devices – the library of Alexa Skills is rapidly growing and they have very real financial implications; you wouldn’t want someone using this trick to, say, hail an Uber on your account, or order a pizza.
In fact, one of Amazon’s recommendations is basically to unplug your Echo when you leave home:
Take steps to ensure the security of your Alexa supported device and safe operation of your connected products. For example, if you do not want Alexa to respond to voice commands (like when you are away from home), turn off microphones on your Alexa supported device.
I’d go a bit further and say “don’t integrate any physical devices like garage doors or locks into your Amazon Echo Connected Home”. If you do – or even if you don’t – be wary about anyone being able to talk to Alexa through windows and doors, especially when you’re not home.
So what can you or Amazon do to protect against this issue? Read on…
Move your Echo. Obviously the first line of defense would be to avoid placing your Echo close to a door or window, but sometimes that’s not always practical.
Automatically turn off Alexa when you’re not home. If you have an Insteon system, you could always set up an On/Off Module or OutletLinc and leverage MobiLinc’s geo-fence feature to turn off Alexa automatically when you’re away from home.
Amazon could build a geo-fence feature into the Alexa app. Probably the best simple solution to this problem would be for Amazon to bake geo-fencing directly into the Alexa App, and automatically disable Alexa when all members of a household are not home. This would mean that whenever you (or more specifically, your phone) is not home – as well as anyone else in your household – Alexa wouldn’t respond to requests.
Amazon could incorporate speaker recognition into the Alexa service. An idea but more difficult fix would be to incorporate voice-printing, aka Speaker Recognition into the Alexa service. Speaker recognition (identifying WHO is speaking) would allow Alexa to only respond to voices from household members, but presumably that technology is quite a ways off given that voice recognition (identifying WHAT is being spoken) itself is still not a perfected art.
Great idea on the on/off module and geo fence! Adding to my network tonight
I like the idea of the turning on the Echo only when I’m home. My router sets a variable based on my ISY when any family member’s phone is connected. I’ll add the Insteon On/Off module that activates when someone is home. Thanks for the suggestion!
Yeah having it on only when you’re home is really the only way to do it… I wouldn’t be able to have any peace of mind knowing someone might figure out a way to mess with my Echo and unlock my doors :/
How do you have your router set a variable on the ISY when a family members phone is connected to WIFI? I’d like to do that! Can you share how you are doing this?
Interesting. I’m only just starting my research on Insteon, ISY and I have an Echo, though I’ve not tried programming skills for it.
I’m curious, with the scripting you’ve shown in the other ISY/Echo posts, would it be possible to have “arguments” on some programs/scenes such that you could lace these types of sensitive events with passphrases? An “Alexa, open the door purple monkey rainbow.” and it only works if the arguments were recognized and matched whatever you put in your script?
If that kind of stuff is passed though, it’d be a layer you could add. Obviously only as good as shouting your PIN at an ATM. You’d probably want to change it every time. But it’d be good for a emergency key.
This is a great suggestion! Unfortunately you still can’t pass in arguments, but you COULD change the name of any program in the my.isy.io site to reference an existing program. So, while I don’t actually use the program shown in the video (I can’t really think of a reason to use Alexa to unlock the door), I could name the program something like “door purple monkey rainbow”. That way, instead of saying “turn on the door” you’d have to say “turn on the door purple monkey rainbow”. Like you said, it’s about as secure as shouting your PIN at an ATM, but it does offer a tiny bit of extra security. I suspect you could even add a PIN like “turn on the door 4 7 X 4 G”, so that way even if someone overhears you they wouldn’t casually remember it as easily.