What are the risks?First, think about a simple audible attack vector on Amazon Echo. If the device is linked to your calendar, anyone can ask for your schedule and know all of your appointments. While this may not be a high risk at home (unless you have a snooping partner), it could be a high risk for an executive that has a device in his/her office. If the device is at home near a window, and you have an Internet-connected door lock linked to Amazon (like Nest), then a simple bang on the Window and yelling “Open the door” may allow a burglar in. And, in a recent TV commercial, a car is seen starting its engine by telling your personal assistant you are ready to leave. What could go wrong with that?—Carbon monoxide poisoning if the car is still in the garage. The number of new threats and permutations for risk are only just beginning to be understood. So how does this relate to Dolphin Attacks? Anyone of these attack vectors could be instantiated remotely from an audible source without the device owner’s knowledge. This potentially includes reconfiguring the device, making purchases, or performing other nefarious activities. If the commands are embedded in other content, the range of attack vectors could be massive, depending on the permissions and privileges granted to the device. This is where privileged access management (PAM) steps in to help protect consumer devices.
How to solve the problemTo solve this problem, and to mitigate the potential threats from audible and inaudible commands, begin with these recommendations (provided your device supports these functions):
- Enable multi-user voice recognition and train the device to your voice. This will prevent unknown sources, users, and commands from executing if it does not recognize a voice.
- When the device is not needed, manually mute the microphone. Many devices have a button to do so, and this is a sound recommendation when you leave home, have guests over, or need privacy for conversations or events.
- Do not bring these devices to your place of business. These are consumer devices and have no reason to be in your office, not even for music. If you do bring it and ignore this advice, restrict all unnecessary functions, including the calendar, from being used.
- Disable commands for purchasing products from the device from all but authorized users. Product purchases are an easy target for mailbox thieves.
- Limit Smart Home, Mobile Phone, and Skill Access. Many of these devices can control lights, thermostats, and even make phone calls. The risks from these new features are mind-boggling. If you do not need them, turn them off.
- If any connections are established by your device for third parties, make sure all of the passwords are unique, the passwords are not re-used, and that auto-updates are turned on to provide security updates automatically to prevent exploitation.
- If the device supports it, add a verbal password or pin to critical commands. This will ensure purchases or configuration changes are authorized and not spoofed by a rogue command.
Morey J. Haber, Chief Security Advisor
Morey J. Haber is the Chief Security Advisor at BeyondTrust. As the Chief Security Advisor, Morey is the lead identity and technical evangelist at BeyondTrust. He has more than 25 years of IT industry experience and has authored four books: Privileged Attack Vectors, Asset Attack Vectors, Identity Attack Vectors, and Cloud Attack Vectors. Morey has previously served as BeyondTrust’s Chief Security Officer, Chief Technology, and Vice President of Product Management during his nearly 12 year tenure. In 2020, Morey was elected to the Identity Defined Security Alliance (IDSA) Executive Advisory Board, assisting the corporate community with identity security best practices. He originally joined BeyondTrust in 2012 as a part of the acquisition of eEye Digital Security, where he served as a Product Owner and Solutions Engineer, since 2004. Prior to eEye, he was Beta Development Manager for Computer Associates, Inc. He began his career as Reliability and Maintainability Engineer for a government contractor building flight and training simulators. Morey earned a Bachelor of Science degree in Electrical Engineering from the State University of New York at Stony Brook.