More than 100 million connected devices worldwide have Alexa voice technology, boasted Amazon at CES 2019. More than 200 million products are equipped with DuerOS outbid the giant Chinese Baidu. In short, the success of voice-activated speakers is real to the general public, for applications related to smart home. But cybersecurity professionals have long warned about the weaknesses of these systems in the face of malicious diversions.
Faced with these new risks, companies have specialized to solve the security vulnerabilities of connected objects. “IoT differs from the traditional security of companies, it combines both physical components and digital to secure this technology requires specific skills, including radio frequency,” says Jean-Claude Tapia, president of Digital Security, European CERT (Computer Emergency Response Team) dedicated to IoT.
The voice becomes indeed a sensitive biometric data with the rise of the vocal assistants. Pindrop has made the choice to focus specifically on its protection. The American start-up raised $ 90 million in December 2018 to develop this business and set up in Europe. Founded in 2011 to cater to the call center market, Pindrop has developed patents for the security of the control unit and the voiceprint to ensure the identity of the user.
Because imitations are still easily achievable, as a last example, in December 2018, a parrot managed to place an order on Amazon by imitating the voice of its owner and activating the Amazon Echo speaker. Thehackers also use the so-called dolphin attack of translating voice commands into inaudible ultrasonic frequencies for humans, in order to take control of personal assistants.
“Hacking the voice has no physical consequence, it is the takeover that is problematic.”
Pindrop plans to achieve in the coming years the majority of its turnover with the protection of voice assistants for the general public. The start-up is aimed at applications in the connected home as well as in the car. “Tomorrow, we can lock his home and his vehicle to the voice,” anticipates Vijay Balasubramaniyan, co-founder and CEO of Pindrop, who has teamed up with his fellow Allegion Ventures, American specialist connected locks.
Give priority to safety by design
The specificities of connected objects have also led cybersecurity companies to imagine protections at a more fundamental level, dedicated to the professional sphere. “The voice does not matter if it is hacked, the takeover is a problem.” An example with autonomous vehicles: it should not be a hacker goes through the voice command to then take control commands. Especially if he can do it for a car, he will be able to do it for all models of the brand and blackmail the latter, ” said Christophe Pagezy, the general manager of the French start-up Prove & Run, in particular, to equip all of its brands with voice recognition technology to enable drivers to interact with their vehicles.
During attacks on a connected object, the OS remains a privileged target because of the complexity of its structure which offers many flaws to exploit by hackers. To overcome this vulnerability, Prove & Run was created in 2009 to focus on IoT. The company has developed a small secure OS designed to accommodate the critical functions of connected objects, such as the firmware that runs the updates. This is to provide a basic software solution for the manufacturer to secure his product.
Other companies, such as Wallix, the French publisher of computer security software, specialize in securing voice assistant software. “We are working with manufacturers on the design of voice assistants in industry, health or banking, to ensure end-to-end encryption from the manufacturing stage,” explains Jean-Noël de Galzain. The founder and CEO of Wallix insists, just like the start-up Snips who designs the technology to develop voice assistants, on the need to have an integrated security from the design to avoid for example that the voice assistant is used as a snitch to retrieve information about a company. In this respect, it supports the decision of the European Union to set up.