My voice is my password, or not…

Way back in September 2014 Yuval Ben-Itzhak, chief technology officer at the anti-virus company AVG, has carried out several experiments which revealed the new techniques hackers might use to gain control of voice-controlled devices. In an interview with Forbes magazine, he even made these comments about devices with voice recognition capability:

“Microphones should be disabled immediately and our current recommendation is that the user switch off features [involving voice commands]… At the moment, leaving biometric technology as it is today is like leaving a computer without a password and just allowing anyone to walk by, click and take an action.” Scaring, isn’t it?

He also added that a “thief outside the door” could take control of gadgets such as smart televisions or laptops from outside a target’s home, potentially burgling them without even smashing a window. Even more scaring.

Voice as a password.

Voice Biometrics is essentially a voice signature, allowing customers to “speak on the dotted line”.Voice Biometrics software identifies a person through their unique voiceprint. In the same way that everyone has a unique fingerprint or retina, voice biometrics technology is used to identify a person through their voice patterns. To put it simply, because of its unique nature, voice can serve as a password, facilitating authentication processes and decreasing the risk of fraud for both organisations and their customers.

Though it looks “simple” and wonderful it seems that there is a consensus in thinking that the vulnerability of technology which uses voice commands is likely to become an important issue in the coming years, as smartwatches and connected home devices grow in popularity and the technology becomes commonplace.

The latest reminder regarding the potential weaknesses of voice recognition technology was published yesterday by the International Business Time in a very informative and graphic article explaining that hackers could steal our voice to access our bank account:

The University of Alabama at Birmingham, US discovered they were able to penetrate automated and human voice verification systems by capturing speech and using a simple, off-the-shelf, voice-morphing tool. The study highlights how it could be used for access to bank accounts, identity theft or even to damage somebody’s reputation. It also uncovers how vulnerable we are to leaving our information around without us knowing. “People often leave traces of their voices in many different scenarios. They may talk out loud while socialising in restaurants, giving public presentations or making phone calls, or leave voice samples online,” said Nitesh Saxena, the director of the Security and Privacy In Emerging computing and networking Systems (SPIES) lab and associate professor of computer and information sciences at UAB.

In a previous post I worried because major banks such as Barclays, Royal Bank of Scotland, HSBC, Lloyd Bank and Santander had been attacked by hackers who sent 19,000 malicious emails in three days from spam servers worldwide, inviting users to download an archive containing a malicious .exe file. Now it seems that, with “voice theft” security is still a number one issue, bright future for security and cyber security companies!


Smart Cities Council | More people, more garbage: Report forecasts rapid growth in smart waste market

Cities around the globe are driving demand for innovative solutions to municipal solid waste. Fortunately, emerging smart technologies are on the way to enhance solid waste collection, generate renewable energy from it and optimize environmental performance of landfills. This very nice article is  complementary to my post on garbage collection issues in Barcelona. Have a good reading.

Source: Smart Cities Council | More people, more garbage: Report forecasts rapid growth in smart waste market

Welcome to the Internet of Things Security Foundation.

A consortium of leading tech firms including BT and Vodafone have joined forces to create the Internet of Things Security Foundation (IoTSF), designed to ensure the security of IoT devices and respond to rising cyber threats. You may have missed the news as it does not seem to be  super exiting; I can hear you say “yes one more time another industry body is being created, so what!”. However the important thing here, is that the foundation includes big names such as BT or Vodafone and that it is about the Internet of Things, one more proof that not only the IoT is here to stay, but that it is big and will get bigger and bigger.

The foundation, which has been set up as a non-profit body, also includes members such as Imagination Technologies, Royal Holloway University of London, Copper Horse Solutions, Secure Thingz, NMI and PenTest Partners as founding members, which make me think that it is mainly UK focused. Well I need to watch its coming activities to confirm or not. In the meantime, its mission and goals seem pretty clear:

The IoT Security Foundation has been established to respond to the many challenges and concerns over security:

  • It is a non-profit organization dedicated to driving security excellence.
  • It is a collaborative, vendor-neutral, international initiative which aspires to be the expert resource for sharing knowledge, best practice and advice.
  • It is an interactive resource led by an executive steering board.
  • It has an on-going program designed to propagate good security practice, increase adopter knowledge and raise user confidence.

So yes, they want to address security issues and concerns in the IoT space. Security is also one of the reasons why the Industrial Internet Consortium was created in 2014. Not surprisingly, amongst its goals we can find “build confidence around new and innovating approaches to security”.

Both associations seem to agree that as more and more devices will be connected (e.g. cars, home automation, NFC smartphone, etc…) this should multiply the number of potential entries for a network intrusion.

The IIConsortium focuses more on the Industrial space with the objective to accelerate the adoption of Internet-connected technologies across industries while the IoT Security Foundation seems to focus more on a consumer space, they both share the same interest, concerns about security and how to respond and tackle cyber threats. Their members are major actors in the IT industry, so why don’t they work together?