Amazon Ups Alexa Voice Service Security Requirements
Amazon has updated the minimum security requirements for devices using Alexa Voice Service (AVS). The new rules set out what manufacturers need to include in their products to be able to access the Alexa voice assistant. The updates include combining all of the AVS software development kits for the first time, including Alexa Smart Screen and Alexa Auto.
Securing Alexa Access
The new security rules will come in two waves. The first set comes into effect on August 1 this year followed by the second set a year later. To improve the security of Alexa devices, Amazon laid out a mix of hardware and software requirements, along with new guidelines for checking and maintaining security. On the product side, future AVS products will need a mix of security features like a Secure Boot and Secure Key Storage, as well as hardware-based cryptographic engines and separation of account privileges. All of those elements make it harder for an unauthorized user to target a device or snag data from it.
In terms of process, Amazon’s rules are a little more broad. The company encouraged product makers to model and test for potential security issues and to do research on suppliers to make sure they don’t represent a vulnerability. On top of that, device makers have to get an independent expert to check and certify that the devices are secure before they launch and every time there’s a major update. Combining all of these steps is going to be necessary for any company that wants to use any of Amazon’s voice capabilities.
“Connected devices rely on complex embedded operating systems and multiple layers of application software,” Amazon explained in a blog post about the new rules. “Any time you add new features to an existing fleet of devices, you risk introducing new vulnerabilities to the device. Therefore, it is important that you develop a mature software maintenance strategy where you periodically patch vulnerabilities in software on your devices.”
Security Improvements as Alexa Spreads
Amazon is eager to get third-party manufacturers to build Alexa-connected devices. The company’s smart home strategy is built around encouraging people to include more voice-powered devices in their lives. That’s one reason it created a variant of Alexa that uses a fraction of the power and memory of the standard voice assistant.
The researchers attempted to make their tests of this potential vulnerability at least semi-realistic. They compared using visible laser light with an infrared version, determined how precise the line-of-sight has to be for the microphone to interpret the command correctly and looked at how responsive the various models were to this kind of attack.
The preemptive nature of these security standards is crucial for Amazon’s strategy for voice, however, because it can help raise the trust consumers put in Alexa products. Many surveys point to privacy and security concerns as a central reason that people hesitate to buy devices with voice assistants. Developers want to do what they can to limit the times that concern is justified. And there are real cybersecurity concerns that these standards might mitigate. While the chances of a laser hacking a smart speaker are very slim, more prosaic hacking through phishing scams and other tactics are all too real. Then there are the errors, like when Google has to block Xiaomi smart cameras from Google Assistant after reports surfaced that they were showing other people’s homes. Amazon is clearly counting on these standards helping ensure that no device connected to their network compromises anyone’s privacy.