McAfee Says Smart Speakers Could Become Targets for Sophisticated Malware in 2019
Last week McAfee released the McAfee Labs 2019 Threats Predictions Report which details seven different security threat predictions identified by the company’s Advanced Threat Research Team. The predictions include reports on artificial intelligence as the future of evasion techniques, data exfiltration attacks to target the cloud, and voice-controlled digital assistants as the next vector in attacking IoT devices. Addressing voice-assistants as a ‘network door’ to IoT devices, the report states:
The real key to the network door next year will be the voice-controlled digital assistant, a device created in part to manage all the IoT devices within a home. As sales increase—and an explosion in adoption over the holiday season looks likely—the attraction for cybercriminals to use assistants to jump to the really interesting devices on a network will only continue to grow.
This opportunity to control a number of connected devices will not go unnoticed by cybercriminals. Bad actors are bound to target technologies of market winners with malicious code designed to attack not only IoT devices but also the digital assistants that are given so much license to interact with them.
Voice Assistants on Smartphones will Be Targets
McAfee says that smartphones have already served as the door to these types of threats and that in 2019 they might become the ‘picklock’ that opens a much larger door. Smartphones provide access to voice assistant apps, which can hold personal data ranging from simple alarms to banking information. Existing examples of cybercriminals exploiting unprotected devices are the Mirai botnet and the IoT Reaper.
Voicebot’s Voice Assistant Consumer Adoption Report 2018 found that voice assistant use is far more prevalent on smartphones than any other device and that one billion devices have access to voice assistant technology. There are twice as many monthly active voice assistant users on smartphones as smart speakers, while voice usage in cars also exceeds use on smart speakers. Apple Siri is the leader in voice assistant usage on smartphones while Amazon Alexa leads on smart speakers in the U.S. Google Assistant is number two in both categories.
The reason why voice assistants are such a target is their use of the cloud. AI is built by “training” machine learning models on lots of example data. Machine-learned models in the cloud can be a secure way to make voice assistants smarter over time. However, they can also be a gateway for the exploitation of data.
The Cloud is the Target
McAfee has found that 21% of data in the cloud is sensitive – such as intellectual property, and customer and personal data – according to the McAfee Cloud Adoption and Risk Report. With a 33% increase in users collaborating on the data during the past year, cybercriminals know how to seek more targets. McAfee gave some specific examples of how sensitive data in the cloud might be exploited:
- Cloud-native attacks targeting weak APIs or ungoverned API endpoints to gain access to the data in SaaS (Software as a Service) as well as in PaaS (Platform as a Service) and serverless workloads.
- Expanded reconnaissance and exfiltration of data in cloud databases (PaaS or custom applications deployed in Infrastructure as a Service) expanding the S3 (Amazon Simple Storage Service is known as Amazon S3) exfiltration vector to structured data in databases or data lakes.
- Leveraging the cloud as a springboard for cloud-native man-in-the-middle attacks (such as GhostWriter, which exploits publicly writable S3 buckets introduced due to customer misconfigurations) to launch crypto-jacking or ransomware attacks into other variants of MITM attacks.
While the huge increase in the voice assistant user base is encouraging, as with any type of large platform, the risk increases with scale because it becomes a larger target. McAfee’s predictions are certainly threats to consider, especially by whoever will win the voice assistant war. That being said, we have seen many tabletop exploits of voice assistants over the past year, but most of them were impractical or have already been closed off as attack vectors. This is an area to monitor. Voice assistants have thus far been spared of any publicly acknowledged attacks by cybercriminals. Eventually that good fortune will come to an end.