3.15 | is the smart speaker safe?

Specialty is strength!

China Software Evaluation Center thank you for your attention. Please follow us into a mysterious scientific and technological journey to understand the development trend of new technology and witness the continuous innovation of the information industry!

With the rapid development of intelligent speakers, speakers with and without screens continue to differentiate.

One is to further "upgrade" the traditional smart speakers, gradually moving closer to the home tablet / smart screen by adding screens and cameras.

The other is further lightweight, wireless and modular, which mainly locates the intelligent audio control / interactive entrance of the smart home, which will be embedded into more home / home appliances in the future, and the intelligent speaker will continue to infiltrate.

According to the report "monthly tracking of China's Smart Speaker Retail Market" released by IDC, the sales volume of China's smart speaker market in 2021 was 36.54 million units, an increase of 20.1% over the same period last year. It is expected that the market sales will reach 37.25 million units in 2022. As sales continue to rise, smart speakers have entered thousands of households.

With the gradual diversification of the functions of intelligent speakers, the means of information technology become more and more complex, and its security risks are mainly divided into the following two aspects.

First, because the integrated functions of intelligent speakers are diversified, the number of interactive interfaces is growing, the number of entrances that may be attacked is gradually increasing, and the security risks are expanding.

In 2019, Google Home was breached by Chinese security experts, allowing attackers to manipulate target devices through remote instructions.

If the incident escalates, it may lead to the disclosure of the personal information of millions of users, lightly lead to fraud and embezzlement of funds, and seriously endanger the personal safety of users and affect social stability.

Second, due to the demand of intelligent speaker product positioning and personalized functions, a large number of user privacy information and interactive data are collected, which may lead to security risks of illegal collection of users' personal data.

In 2019, Bloomberg revealed that Amazon hired thousands of employees to monitor the daily recordings of Amazon Echo users of its smart speakers, and even illegally leaked the voice data of more than 1700 users.

As a result, users are unwittingly affected by e-commerce harassment, telecommunications fraud and so on.

The China Software Evaluation Center selected a number of best-selling intelligent speakers with and without screens in the market to evaluate them from the perspectives of network security, data security and personal information security.

(1) Network security and data security of intelligent speakers.

App Security of Intelligent Speaker.

Evaluation experts tested the App security of intelligent speakers, including component security testing, Manifest file detection, Webview security detection, network communication security detection, weak encryption risk detection, data security detection, system vulnerability detection, so file risk detection, privacy rights detection, privacy behavior detection and other test items.

In the process of testing, experts decompiled the .apk file and used the technical means of automatic scanning and manual infiltration to find the existing security problems.

After evaluation, the intelligent speaker App within the scope of the evaluation has not detected serious loopholes, which can effectively avoid the leakage of user information.

Intelligent Speaker Communication data Transmission Security.

The evaluation expert dynamically collects and transmits the network data during the communication between the intelligent speaker system and the server.

Aiming at the encryption algorithm in the whole process of intelligent speaker network communication and connection maintenance, the security is analyzed and evaluated by using Wireshark tools and manual audit.

According to the evaluation, there are some problems such as the plaintext transmission of log files in the process of communication between an intelligent speaker equipment and the server, which leads to the leakage of user sensitive information.

The transmitted log contains device information, log information and voice-converted text information, resulting in information leakage.

The evaluation record is shown in figure 2, which is the text message of the voice command issued to the device after waking up the device and the log record of the voice output from the intelligent speaker.

Intelligent speaker system and firmware upgrade security.

First of all, the evaluation experts tested the downgrade risk of the intelligent speaker system and firmware, and found that most of the equipment took the measures of "upgrade detection" and "firmware signature", locking the serial port and USB interface, and the user could not downgrade himself, thus protecting the security of the intelligent speaker.

Secondly, the expert analyzed the communication process of the firmware update request of the intelligent speaker. Through the analysis of the update request packet, it was found that some devices transmitted the firmware upgrade request through the HTTP protocol.

The firmware download address can be obtained from the packet, which leads to the risk of firmware leakage.

At the same time, the use of insecure communication protocols may face the risk of man-in-the-middle attacks.

According to the evaluation, there is a risk of URL exposure in the communication process of firmware upgrade of some intelligent speakers, and firmware leakage may occur.

(2) Security of personal information of intelligent speaker users.

Rules for collection and use of personal information.

In order to provide users with more accurate customized services, intelligent speakers collect users' personal information, including location information, address book information, audio and video information and other sensitive data.

The China Software Evaluation Center has conducted a compliance test on the rules for the collection and use of personal information of a number of speakers, as shown in Table 1.

In the process of testing the rules for the collection and use of personal information, the evaluation experts mainly interpreted the privacy policies of the intelligent speaker products in detail, and interviewed some of the existing questions with enterprises.

The intelligent audio products involved in the evaluation have a complete personal information protection policy and can be put into practice in practical application.

However, in the process of collecting and using personal information, intelligent speakers still collect users' personal information excessively.

For example, after entering the smart speaker App, the user's voice data is automatically collected for model training but is not clearly prompted to the user.

The privacy statements of some products do not specify the frequency and storage time of personal information.

In the process of collecting and using personal information, the intelligent speaker overcollects users' personal information and fails to clearly explain the collection frequency and storage time of personal information.

Personal information subject cancels the account.

Users should have complete control over the personal user information stored by smart speakers. When users request account logout or user data destruction, smart speakers, control side App or cloud services should provide users with a simple and convenient mode of operation, and they should not set unreasonable conditions or put forward additional requirements to increase the obligations of personal information subjects in the logout process.