Ian Burgess, Principal, Technology and Digital Policy Delivery, UK Finance
Amazon’s Echo Dot hit the headlines recently with reports that its voice-activated software, Alexa, not only recorded a private conversation between a couple, but then sent the conversation to someone in their contact list without either the couple’s knowledge or an instruction to do so.
Alexa – and other voice-activated systems – are, of course, part of the Internet of Things (IoT), a network of interconnected devices with an inbuilt internet connection that allows them to be controlled remotely. Other examples include Nest and Hive, where users, amongst other things, can turn on their home heating system just before they leave work in the evening, though the most currently talked about IoT devices are ‘home assistants’ such as Amazon’s Echo Dot and Google Home.
The market for IoT was forecast to have 8.4bn connected ‘things’ in use worldwide in 2017, up 31 per cent from 2016, and have a worldwide spend of $772.5bn in 2018, up from $674bn in 2017, as consumers and businesses begin to realise the benefits of these devices. However, for all of the benefits, there are also potential emerging risks which it is important to be aware of. Namely, as these devices become increasingly interconnected, they are extending their ability to reach further into what was once considered ‘private’.
Home assistants (sometimes referred to as smart speakers) work by utilising language processing software to identify voice commands which in turn allow users to, amongst other things, connect to other devices in their home, such as a music player or heating system. In addition, they use artificial intelligence (AI) to provide intelligent suggestions and answers to queries, allowing them to better understand the type of requests being asked.
Consumers should be aware of the risk that home assistants potentially pose due to their ability to ‘hear’ and record sensitive conversations such as passwords or credit card data that a user would not normally share except with people they trust. This goes beyond the possibility of conversations being shared with known contacts in error, however. If a user’s home IoT network is not sufficiently secured this information could be compromised. It is important to emphasise that the security of the network is only as strong as its weakest link – in other words, it is not just the WiFi network that needs to be secure, but all the devices connected to it.
From a privacy perspective, as highlighted with the Alexa story, there are clearly concerns too. Whilst it may be an unlikely scenario, while the possibility of a recurrence exists users should be careful what information they allow these devices to listen to. As the security considerations of new technologies that are being rapidly developed often lag behind the development of the product, users may wish to consider the following security tips:
- Change security settings (passwords, PINs, code words etc.) away from the default ones
- Use a different password for each device
- Only connect devices to the internet that require that functionality – just because it can be connected doesn’t mean it has to be
- Segregate IoT devices onto a separate network i.e. a Local Area Network (LAN)
- Ensure that devices have up to date patches (whether that be automatically or by manually updating them)
Given the increased use of IoT devices as consumer habits change, the financial services sector should continue to approach this technology with a view to providing innovative products – whether through improving payments via wearable devices, or by using big data to provide a more tailored experience. However, they should also remain cognisant of how the connectedness of devices can also pose risks to their customers and apply the same ‘privacy by design’ approach and cyber security rigour to their design and software development lifecycles as they do currently to online banking. With GDPR having taken effect on 25 May, these issues are more salient than ever.
Cyber fraud is always at the forefront of UK Finance’s mind, and the Cyber Aware campaign – run by the government and supported by UK Finance – provides simple secure online behaviours to protect people from cyber criminals. Based on expert advice from the National Cyber Security Centre, it recommends ways to protect your device and your data. If you have an IoT device in your home, now is an opportune time to check that your private conversations, and the devices you own, are safe and secure as they should be.