Go to sleep, Alexa. It’s not OK, Google
THE rapidly growing market for voice-controlled speakers probably needed something like the Google Home Mini disaster to happen. Now even those customers who were oblivious to the risks of placing such a device in their homes will want to consider the security implications and manufacturers won’t be able to get away with being so dismissive.
Earlier this month, Artem Russakovskii, who runs the Android Police blog, picked up a pre-market version of the Google Home Mini to review. This is the compact version of the Google Home speaker which you can ask to play music, do a web search or a unit conversion or adjust your smart thermostat. But instead of waiting for commands, Russakovskii’s machine started reacting to a TV programme he was watching by repeatedly saying it didn’t understand. Those digital assistants do that a lot, but usually when woken up by a command like “OK Google” or “Alexa” — or by something they have “misheard” as such a command. Rusakovskii was alarmed because neither he nor the TV was saying anything similar, and the Home Mini kept reacting. He went to his Google account and discovered thousands of activity records: The device had been recording everything that went on in its vicinity.
Russakovskii is one of the tech boosters who have sold the product category to the world so successfully that this year; 35.6 million Americans are expected to use a device like the Amazon Echo or the Google Home at least once a month. To him, people who warned of the dangers of placing such a gadget in the home were “tin-hat wearers.” “I didn’t give too much thought to these privacy concerns because they all sounded theoretical and unlikely,” Russakovski wrote in a post describing his alarming experience.
After the blogger contacted Google, the company reacted quickly, sending an employee to pick up the device and soon rolling out a software update that shut off the touch panel at the top of the spheroid device. The panel provided an additional way of waking up the device — with a finger rather than with voice, but it also served as the pause button and volume control for music and the off button for the alarm function. Google Home Minis will now ship without the touch functionality because it’s too late to fix the panels, which, on some devices, react to “phantom events.”
“We take user privacy and product quality concerns very seriously,” Google said in a statement. “Although we only received a few reports of this issue, we want people to have complete peace of mind while using Google Home Mini.”
Peace of mind, however, is exactly the wrong outcome here. Defective hardware is not the only potential problem. These devices are listening all the time, and the recording function can be triggered by a hack, an accidental noise, a software glitch. What happened to Rusakovskii merely confirms Murphy’s law: anything that can go wrong will go wrong.
The US National Institute of Standards and Technology’s Hyunji Chung, Michaela Iorga and Jeffrey Voas and Korea University’s Sangjin Lee, no “tin-hat wearers,” discussed the product category’s dangers in a recent paper. They explained how communication between an “intelligent digital assistant” and the producer’s cloud, where requests are processed, could be intercepted to hack into the devices. “The potential for accidental recording means that users do not necessarily have complete control over what audio gets transmitted,” they wrote. Apart from spying on a household, the voice recordings could be used to impersonate the speakers and wreak havoc with their lives, they pointed out. For years, we have routinely ignored these kinds of warnings, preferring to listen to tech companies’ assurances that the devices are safe. People like being innovative and hate looking paranoid. Increasingly, people must ask, are we willing to trade the privacy of everything that goes on in our homes for a product that completely duplicates what our smartphones can already do?