Your Alexa is Spying on you!

I’ll bet $30 and the PBR you have in your fridge that your home network consists of the old router-and-Wi-Fi combo from your internet service provider. It has four ports on the back of it and some coax cable running into it. You might use one port for your PS5 that you beat up some kid at Best Buy for, and everything else is run off Wi-Fi. If you have an Alexa device, you are even more tech-savvy, and you might have figured out how to change the name of your LAN to “FBI Surveillance Van #3” to scare the neighbors and give yourself a hearty chuckle when you connect to it.

Alexa is a Digital Wire Tap

I’ll also bet that at some point, you purchased a smart device from Amazon, like Alexa, or Google. (If you bought the Apple one, you must be extra proud of how your Prius saves the world.) You probably slapped that smart device on the same network you use to play video games, check your bank account, watch Garand Thumb, and do certain “special activities” on, too. You have also heard the talk about how the device is pretty much a wiretap, so you bought a VPN subscription from an ad on your favorite podcast to solve the problem. “No way Jeff Bezos is spyin’ on me,” you say.

So, let’s cut to the chase: They are spying on you. Your VPN subscription may make you feel better, but it isn’t doing anything to stop information from being collected on you, and what’s more, you paid them for their efforts. Suppose you are like millions of other Americans operating from a flat network at home. That little wiretap can communicate with all your devices and sniff your traffic for various reasons. This means your shopping habits, day-to-day routines, and even your “special” habits are being recorded.

You ar being spied on both physically and electronically. So what can you do? — (Photo by iStock)

Terms and Conditions

Amazon mandates on its developers’ page that Alexa Voice Service (AVS) must use TLS 1.2, meaning that anything it sends home to Uncle Jeff is encrypted, and you can’t know what it is. This is good if you order something that requires your personal and payment information. This is terrible if you are trying to figure out precisely what the device tells the remote services it uses to function. It is also terrible because when you send data over the Alexa device, you can no longer control it on your home network.

AV-TEST, a German-based cybersecurity organization that independently tests and evaluates cybersecurity software, ran an experiment on an Amazon Echo Dot in 2017. They tested when the Echo Dot sent packets over a network and what triggered the transmission by putting it in a quiet room with two people. After 8 seconds of silence, they used the wake word “Alexa” and asked the Echo Dot what time it was. The packet capture showed zero transmitted bytes up until the wake word was said 9 seconds in. After the Echo Dot answered, they fed it another 8 seconds of silence and then used the wake word “Alexa” again and quoted Jean-Luc Picard: “Tea, Earl Grey, hot.” Again, there was no traffic over the net during that silence until the wake word was said, and the Echo Dot fed Amazon’s servers the input and fetched the output.

Real World Testing

After the Echo Dot responded, the two in the room held a normal conversation for about half a minute, ensuring that the conversation didn’t include the wake word “Alexa.” During that conversation, the Echo Dot transmitted zero bytes over the network. Likewise, it didn’t contact its home servers unless the wake word was said.

Our corporate overlords aren’t off the hook yet. AV-TEST explicitly said that because it was calling home using encryption, they had no idea what was being transmitted, to begin with and could only make assumptions. That’s not to say that the Echo Dot didn’t totally listen in on the conversation and then report back to its home servers the next time its wake word was said and it had permission to transmit. The only entity that has the private key for the encryption is Amazon. The experiment didn’t mention if the conversation was held in German or English or if words that Amazon finds unsavory (since Amazon is purging the site of specific political points of view) were said.

In the age of digital tech. You are constantly being monitired. — (Photo by iStock)

Settings for Safety

The best answer to the question, “Is my smart device spying on me in my own home?” is that it is difficult to be sure, which is terrifying. However, it’s not all over for your sense of privacy for money or marital purposes if you must still have the wiretap in the house. However, let’s talk mitigation. The first thing you can and should do for all your insecure “Internet of Things” devices is not to have them on the same network where you do important things. The most basic router-and-Wi-Fi combo from your ISP can isolate hosts, preventing each of your network devices from talking to each other. This will remove some of the functionality that makes your IoT devices appealing, but at least the risk of Alexa spying on your network traffic is mitigated.

Your network can also be segmented with one of two concepts that will require some research, but that will go a long way toward protecting your privacy: VLAN and subnetting. A VLAN, or virtual local area network, is a special switch on your network that creates a virtual network that groups specified devices into their segments. VLANs are a great way to keep different devices on your home network from talking to each other while still retaining the whole usability of your devices.

Getting Technical

On the other hand, subnetting essentially splits your current network into different portions that are separate from each other using the concept of a “subnet mask.” For instance, your home setup can probably accommodate one subnet of 255.255.255.0 or two subnets of 255.255.255.128 that are segmented from each other (these subnet mask numbers define the range of IP addresses that can be used in a network). Learning how to shape traffic with a firewall is also useful; even your ISP router-Wi-Fi combo comes with a firewall. For beginners, YouTube has plenty of free information on all these concepts and how to use them. The only investment you’ll need is time and patience.

Digital surveillance is all around us. — (Photo by iStock)

Safety And Security for Your Whole Life

Given the tumultuousness of this new decade, preparedness and resilience are virtues. People put a lot of effort and money into training, firearms, and equipment, which can separate the survivors from the casualties during physical confrontations. Still, we often completely ignore the massive communication, commercial, and entertainment media that virtually connect us to the world.

However, we are increasingly aware of the rules of digital engagement: Your information is a commodity, and if you are of a particular political persuasion, you may be a target for neutralization by tech companies that might hate you. And this doesn’t even account for the handful of countries that want to use this country’s internet against it. Learning how your home network works and how to secure it are the first steps to digital preparedness and resilience in the 21st century.

In the 1950s, Americans built bomb shelters to protect their families against a Soviet threat. Today, you can prepare against an online attack by learning to isolate and protect your home networks instead of depending on slogans and buzzwords that you don’t even understand to protect you.