Imagine outsourcing all those mundane office tasks--managing calendars, ordering supplies, reserving meeting rooms--to Alexa, Amazon's voice-activated virtual assistant. With Amazon's new Alexa for Business, that fantasy can come true, but potentially at the expense, say some cyber security researchers, of serious security risks. Think, corporate espionage and hacks.
On Thursday, Amazon debuted its new enterprise version of its popular virtual assistant Alexa, which works with Amazon's Internet-enabled speaker the Echo. Alexa for Business can do everything from make phone calls to figure out when you should leave for the airport.
But white hat hacker William Caput warns that Alexa for Business is a potential security risk for companies. Caput, who conducts penetration tests on companies, says always-listening devices, such as smart TVs and virtual assistants, transmit data back to a product's parent company to be used for things like data mining.
"It seems very naive for a business to consider using something like this unless there is an explicit use policy that states certain types of data transmission will not happen," says Caput. "Before you use it, you'd want to conduct rigorous hacking testing and figure out what is being listened to and what is being sent."
Amazon Listening In
Since Alexa can be integrated with your IT assets like phones and calendars, Tim Roddy of Fidelis Security says that some data will be stored in Alexa's infrastructure. This could mean that some company data is either stored by or transmitted to Amazon.
Caput says Amazon, in particular, has incentive to listen and gather keywords that can then be used in targeted marketing. The Wall Street Journal reports that Amazon claims the Echo speaker doesn't send data to the cloud unless users "wake" the device by using its name--"Alexa." But, Caput says Alexa for Business has not yet been rigorously tested by the security community, and the potential risks, security holes, and vulnerabilities are unknown.
Companies conduct corporate espionage to get a leg up on deals or an edge on technological advancements, like the Uber-Waymo self-driving car trade secret case. Caput says wireless devices are ideal tools to exploit for this purpose, since connected devices have minimal security protocols. "A competitor could hack the device," says Caput. "I can take control of a computer and access their web cam or a wireless speaker with publicly available tools."
Government snooping is also a risk. "You can have the National Security Agency listening in," Caput says. "You have the entire security apparatus that Ed Snowden uncovered--the warrantless tapping of devices."
While these risks may sound paranoid, as a cyber researcher, Caput says connected devices are a favored way to breach a company's security protocols. "It's not conspiracy theory," he says. "I've seen these types of hacks or I have done them myself with internet-of-things devices."
Rick McElroy suggestions that companies perform their own risk analysis as to whether it's worth bringing a new technology like Alexa for Business into the fold. "Does the value of this technology outweigh, or offset, the risk?'" says McElroy, a security strategist at Carbon Black, a cybersecurity firm. "If the answer is 'yes,' then a concerted effort should be made to continuously patch when updates are available as well as educate employees on cybersecurity best practices."