As part of our InfoSec Industry duties in maintaining a positive image to society (I'm not really sure that's a thing but it sounded nice), I'll attempt to bring you a regularly scheduled "SECURE IT" blog entry. In hopes that I have more than two readers, I will also accept requests for the following week's "SECURE IT" blog. So far, my cat asks specifically for an entry on "more treats". This has nothing to do with InfoSec. I'll place that request on the back burner for now.
If you don't know at least one person who has an Amazon Echo, Alexa, version 1 or 2, then you likely haven't left the house recently. This device has become a basis for voice recognition appliances in a majority of homes at roughly 69% market share (versus Google Home 25%, 6% Other- Dec 2017). The Echo, Echo Dot, Echo Show, etc have become a staple for game nights, trivia, music streaming and even online ordering directly from your connected Amazon.com account.
There's no wonder that the Amazon Echo has InfoSec professionals and other like-minded paranoids rather uneasy about the whole thing. As such, there are a handful of methods to put worrying minds at ease, and several others to reverse said ease rather quickly.
SECURE IT NOW
1. Disable the built-in microphone
So you're probably asking yourself as you read this "But...why?!". Well, although the Amazon Echo and related products main function is provide voice assisted tasks and integration of those voice commands to other network connected devices, it is possible to disable the function for fear of eavesdropping on everyday conversations. As such, the Echo is equipped with a microphone on/off switch.
Next time you decide to verbally communicate your passwords or social security numbers to someone inside your home, tap the mic off.
No, I'm not talking about what you practice during a long Western PA winter that is seemingly endless, even after a weekend of sun and 80 degree weather, it returns with snow and cold. Isolation refers to a network segmentation technique, typically over wireless. I would recommend combining isolation and true segmentation if your Amazon Echo does not need to communicate with any other device on your network other than the Internet for queries such as "WHEN WILL THIS WINTER END?".
This can be accomplished via settings in your router or combination of router and managed network switch.
3. Disable Voice Purchasing
For all the parent's out there, this is a must do as soon as the Amazon Echo is connected to the Internet. Otherwise, you may find several hundred orders of toys, juice boxes and other kid-friendly paraphernalia randomly show up at your door. In one case, a threat-actor was able to voice command purchase items through an open window and return to pick up their prize when the home owner's were away on vacation.
You may also choose to utilize voice purchasing but require a PIN during the process. Rotate the PIN if you don't want passerby's eavesdropping on the PIN for your eavesdropping device. Don't use the same PIN as your back account.
4. Patch Management
Just like any other computing device, the Amazon Echo has it's flaws, updates, fixes and new releases. As such, the Echo is vulnerable to much of the same issues as a mobile device or laptop computer; things like bluetooth stack vulnerabilities, linux kernel remote-code execution and information disclosure in the SDP server and so on and so forth. It's important to ensure that your Amazon Echo is running the latest patched code to mitigate risks related to common system security issues. It is a computer by the way!
A majority of Amazon Echo's security vulnerabilities are effective only when physical access is gained by the threat-actor or tester. With that being said, more and more businesses are utilizing the Echo such as an option in a hotel room. There's no telling how many malicious actors have compromised the Echo's in public locations especially. Once the device is compromised, it may be used to traverse other areas of the network or eavesdrop on your private conversations.
I hope this was at least somewhat helpful in determining how to SECURE IT - Amazon Echo/Alexa. Take care.
DISCLAIMER: The following article lists information as provided by an unbiased 3rd party consulting Company and is in no way, shape, or form sanction by Amazon, Inc.