Back in 2007, the Windows Vista security issue was not of particular interest to the cyber-
security community since the potential impact and the probability of an attacker being able to
pull it off were seen to be low (the voice-activation feature had to be turned on and the micro-
phone needed to be next to the speaker). Today, however, more and more people are relying
on audio-based personal assistants such as the Echo. What makes this attack vector of particu-
lar concern is that some users will depend upon devices like the Echo to command IoT devi-
ces such as lights that could have a physical impact on their safety.
The Amazon Echo also works with IFTTT recipes and can command WeMo Switches
(discussed in Chapter 3). This makes the Echo a powerful device that is able to control not just
lighting in homes, but a range of electronic devices. The Echo only allows the user to select
“Alexa” or “Amazon” as the wake word, which must be uttered as the first word in every com-
mand so that the Echo knows the user has intended it for the device. Our rudimentary proof
of concept would have been thwarted if Amazon required users to select a unique wake word.
Of course, threat agents such as neighborhood bullies or malicious entities who were able to
eavesdrop on conversations through the cameras in Smart TVs might be able to find out what
the unique wake word is set to, but this would substantially limit the risk from threat agents
who are unable to access that information.
Designers of products such as the Echo should consider malicious activity that leverages
audio as a channel of implementing attack vectors, since these products are primarily
designed to communicate using audio. The speech recognition security hole may not have
been deemed worthy of concern in the past, but product designers and users need to be
extremely cognizant of expanding avenues of abuse using audio channels as we continue to
increase our reliance on assistants such as the Echo.
IoT Cloud Infrastructure Attacks
Devices that offer Internet connectivity require supporting cloud infrastructure. We’ve seen
how the hue lighting system can be controlled from anywhere in the world using the iOS app.
We’ve seen how the WeMo Baby monitor can be accessed remotely through supporting infra-
structure hosted by Amazon’s cloud service. We’ve seen how the Tesla Model S maintains a
persistent cellular connection with Tesla’s infrastructure to obtain over-the-air updates, send
diagnostics, and be controlled using the iOS app. Such reliance of IoT devices upon cloud
infrastructure makes it a juicy target for abuse.
In late 2014, hackers compromised the iCloud accounts of several celebrities and exposed
their private photographs and videos to the public. They tried various combinations of pass-
words for the target iCloud accounts until they guessed the right ones. Since most iPhone
users elect to sync their photographs and videos across devices using the iCloud service, the
attackers were able to obtain the images upon logging in.
Although no actual vulnerability in the iCloud service was discovered to have been exploi-
ted, the reason the attackers were easily able to obtain access was that the service did not
CHAPTER 8: SECURELY ENABLING OUR FUTURE—A CONVERSATION ON(^238) UPCOMING ATTACK VECTORS