We increasingly rely on Virtual Personal Assistants (VPA) such as Siri and Cortana to navigate life, as was described in a previous article. In that article, we offered a primer on how VPAs work and warned that most of them carry security risks. Those risks are the focus of this article.
To illustrate the kinds of security risks of VPAs, let’s looks at some real-life examples:
- Verizon-based devices have been especially prone to the holes and gaps that exist in the Knox System, which is used to protect the end user’s personal information and data in the Smartphone.
- The iPhone: The main issue security issue with the iPhone is the installation of rogue mobile apps onto an end user’s Smartphone without the user even knowing that it has happened. There are several ways in which this can be accomplished, such as compromising the Digital Certificates in the App Store.
- Windows mobile it is prone to just about any type or kind of security threat, as it uses the same version of the Windows 10 Operating System as the workstation and personal computer versions.
Next, we’ll look at some of the broader security issues that come into play with VPAs.
The problem of the user’s privacy
One of the first security issues that comes to mind is that of privacy. For example, as we communicate with either Siri or Cortana, the dialogue can still be considered as one sided. This simply means that the end user is engaging in most of the dialogue, while the VPA is merely responding with answers to the queries which are being asked of it.
But it is very important to keep in mind that it is not the mobile app upon which the VPA resides that is answering your queries. Rather, your conversations and queries are being transmitted back to the corporate headquarters of the vendor, be it Apple, Google, or Microsoft. In turn, it is the servers there which are feeding the answers back to the mobile app that then communicates the answers to you.
So, the question remains: How secure are the lines of communication between the mobile app and the transmissions sent back to the vendor’s corporate headquarters and vice versa? These companies may claim that the lines of communications are indeed secure, but are they really? To date, no known studies have been conducted to examine the depth of security of these lines of communication. It is quite possible that these lines of communication are totally unencrypted, making them a prime target for an Eavesdropping Attack by a Cyber attacker.
VPA’s utilize Artificial Intelligence
To be truly effective for the end user, VPAs attempt to get to “know” the user as much as possible. To do this, they need to learn more about the user’s particular habits and from there, try extrapolating and predicting future queries. VPAs are designed to be “intelligent” in this regard in that they use some form of Artificial Intelligence (AI) embedded deep within them to create a robust, timely, and accurate response to the end user’s particular query.
A good example of a VPA utilizing Artificial Intelligence is Google Maps, which communicates with the user and then uses its complex mathematical algorithms to mimic the human thought process by actually looking at a map and determining the most optimal and direct way in getting from Point A to Point B.
Other tools are also being used to make the VPA more intelligent than ever before. For example, the use of Neural Networks and Machine Learning are being incorporated to give the mathematical algorithms of the VPA a deep ability to learn, reason, and understand the needs of the end user on a real-time, 24/7 basis.
Vendors track, record, and store your conversations
When you interact with a VPA, a virtual audit trail of your conversations is literally being built, in a manner similar to enabling cookies on your Web browser. To make security matters even more complex, the conversations you are having with either Siri or Cortana are actually being recorded and stored by the vendor.
How long do VPA vendors store recordings between an end user and his or her VPA? Apple has a retention policy of at least 18 months. The timeframes for Microsoft and Google have not yet been disclosed to the public. Whatever the retention period is, these stored conversations could be “prey” for a Cyber attacker throughout that period.
Servers in foreign countries
It is equally important to note that a vendor’s servers may not necessarily reside exclusively in the United States or certain European countries, where there is some legal protection against wiretapping by the Federal Government or any other private third party. In fact, because Google, Microsoft, and Apple are all multinational companies, these servers are very likely housed in other countries, where protective mechanisms are not in place.
So, for example, although you might be having a conversation with Siri or Cortana here in the United States, there is a good chance that those conversations are then being transmitted back to servers located in a country like Russia or China. As a result, there is a much higher probability that your conversations could be wiretapped and listened into.
In summary, this article series has examined what a Virtual Personal Assistant is, and the major functionalities of the leading VPA brands from the likes of Microsoft, Google, and Apple. Most importantly, the series has explained the security risks that are inherent in all VPAs.
It is widely expected that the demand for, and the growth of, VPAs will only proliferate into the future. (The exact trends and predictions for VPAs will be examined in a future article.) One reason for this explosion is that leading IT vendors are investing heavily in VPAs in order to bring their customers a true, all-encompassing life experience when using the VPA for just about any task-related matter at hand. Thus, it is wise for end users to remain aware of the security risks that come with the VPAs they rely on every day.
Ravi Das is a Cybersecurity Consultant and Business Development Specialist. He also does Cybersecurity Consulting through his private practice, RaviDas Tech, Inc. He also possesses the Certified in Cybersecurity (CC) cert from the ISC2.