“For sensitive conversations, it might be a good idea to put your phone away or turn it off,” is the most telling tip the computer science professors at the University of Alabama at Birmingham offer in a recent article by UAB writer Yvonne Taunton, “Shh…Your devices may be listening to you.”
Like the background noise of everything we think we already knew, the cautions of professors Ragib Hasan and Nitesh Saxena — PhDs in the UAB Department of Computer Science — seem bothersome.
Better bother, they say. The threat is not just from smart speakers — the first spies to be reported on in the internet of things.
Uncomfortably laughable as it seemed, the idea that Alexa can be bugging your home is among the most obvious of the problems out there.
“Here, the user has installed a device in his home or office, and this device has a microphone that receives and understands users’ vocal commands,” says Saxena. “Ideally, the speaker system should wake up only when the user issues a wake phrase like “OK, Google,” but there is nothing that prevents it from recording the audio at will on regular user conversations. Also, it is likely that, as the speaker listens to our commands, which are often stored on the cloud servers of these companies, the audio could contain sensitive information spoken in the background — music and TV programs played in the background — that may be of interest to some malicious actors.”
Far more pervasive than smart speakers are smart phones and tablet devices, and the threats proliferate as well, say the professors.
“Unfortunately, the smart devices of today are equipped with many different types of sensors that may be listening in on our conversations,” reports Taunton — sensors such as “accelerometers, GPS, gyroscopes and more.” Those particular sensors, besides what they’re supposed to do (an accelerometer is supposed to tell your phone where it is in space), can also track you like a gumshoe.
Just like in the movies, there are good shamuses and nasty, noir ones.
“In reality, we have threats from two directions — malicious apps that hijack the phone sensors to spy on us, and otherwise benign apps secretly listening to or sensing our activities, and then sending the data ‘home’ for advertising and other activities,” says Hasan.
“Researchers have also demonstrated side channel attacks in which a malicious app can exploit benign-looking resources — motion sensors such as accelerometer or gyroscope or power consumption readings — for which the Android OS does not explicitly ask any user permission prior to granting access,” reports Taunton. Consequences of such bad actors could be:
- Stealing your PIN code based on vibrations of your finger taps
- Mimicking your voice characteristics from listening to you
- Tracking your car from vibrations from your phone in the vehicle
- Tracking your car from variation in cell tower transmissions
Saxena says, “Some recent research studies have demonstrated that many apps in the Android ecosystem have actually been exploiting Android’s permission model to learn sensitive information, such as the device’s IMEI, MAC address or geolocation information to track the device/user, and even exploiting and exfiltrating audio and video data.”
Being careful about what permissions you give to the apps you install is the first thing to do, but it’s no sure bet, and there are ways around it.
“Disable apps from recording and maintaining users’ location history — Google Maps, Facebook,” is another basic recommendation from the professors.
But the most cautionary, if not alarming, thing they recommend is the one we started with: “For sensitive conversations, it might be a good idea to put your phone away or turn it off.”