What are the risks?First, think about a simple audible attack vector on Amazon Echo. If the device is linked to your calendar, anyone can ask for your schedule and know all of your appointments. While this may not be a high risk at home (unless you have a snooping partner), it could be a high risk for an executive that has a device in his/her office. If the device is at home near a window, and you have an Internet-connected door lock linked to Amazon (like Nest), then a simple bang on the Window and yelling “Open the door” may allow a burglar in. And, in a recent TV commercial, a car is seen starting its engine by telling your personal assistant you are ready to leave. What could go wrong with that?—Carbon monoxide poisoning if the car is still in the garage. The number of new threats and permutations for risk are only just beginning to be understood. So how does this relate to Dolphin Attacks? Anyone of these attack vectors could be instantiated remotely from an audible source without the device owner’s knowledge. This potentially includes reconfiguring the device, making purchases, or performing other nefarious activities. If the commands are embedded in other content, the range of attack vectors could be massive, depending on the permissions and privileges granted to the device. This is where privileged access management (PAM) steps in to help protect consumer devices.
How to solve the problemTo solve this problem, and to mitigate the potential threats from audible and inaudible commands, begin with these recommendations (provided your device supports these functions):
- Enable multi-user voice recognition and train the device to your voice. This will prevent unknown sources, users, and commands from executing if it does not recognize a voice.
- When the device is not needed, manually mute the microphone. Many devices have a button to do so, and this is a sound recommendation when you leave home, have guests over, or need privacy for conversations or events.
- Do not bring these devices to your place of business. These are consumer devices and have no reason to be in your office, not even for music. If you do bring it and ignore this advice, restrict all unnecessary functions, including the calendar, from being used.
- Disable commands for purchasing products from the device from all but authorized users. Product purchases are an easy target for mailbox thieves.
- Limit Smart Home, Mobile Phone, and Skill Access. Many of these devices can control lights, thermostats, and even make phone calls. The risks from these new features are mind-boggling. If you do not need them, turn them off.
- If any connections are established by your device for third parties, make sure all of the passwords are unique, the passwords are not re-used, and that auto-updates are turned on to provide security updates automatically to prevent exploitation.
- If the device supports it, add a verbal password or pin to critical commands. This will ensure purchases or configuration changes are authorized and not spoofed by a rogue command.
Morey J. Haber, Chief Technology Officer and Chief Information Security Officer at BeyondTrust
Morey J. Haber is Chief Technology Officer and Chief Information Security Officer at BeyondTrust. He has more than 25 years of IT industry experience and has authored four Apress books: Privileged Attack Vectors (2 Editions), Asset Attack Vectors, and Identity Attack Vectors. In 2018, Bomgar acquired BeyondTrust and retained the BeyondTrust name. He originally joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition. Morey currently oversees BeyondTrust strategy for privileged access management and remote access solutions. In 2004, he joined eEye as Director of Security Engineering and was responsible for strategic business discussions and vulnerability management architectures in Fortune 500 clients. Prior to eEye, he was Development Manager for Computer Associates, Inc. (CA), responsible for new product beta cycles and named customer accounts. He began his career as Reliability and Maintainability Engineer for a government contractor building flight and training simulators. He earned a Bachelor of Science degree in Electrical Engineering from the State University of New York at Stony Brook.