Holy cow. It’s finally arrived, the moment when we are to fear our own technological devices. If you haven’t figured out by now I, Binary Blogger, am not anti-IOT (Internet of Things) I am anti-stupidity with the producers of IOT devices. There is no discipline, regulatory pressure and no accountability to integrate any level of a standard security practice into these devices. Now Samsung, one of the world’s largest electronics companies, have come out publicly to warn consumers to not talk about personal information near your smart TV. The reason is the voice activation functions, which use a microphone, may and probably do transmit your voice over the Internet to a 3rd party location.
Specifically, through a policy change, Samsung has called out Nuance Communications, Inc. as the suspected 3rd party as Samsung ensures they do not store your recorded voice. They can’t say the same for Nuance which provides the voice recognition technology. If Samsung stepped up and put out this warning there must be some credibility to the notion that this is happening. Some tech working on their own TV much have seen a little extra data being sent out that raised an eyebrow.
“If you enable Voice Recognition, you can interact with your Smart TV using your voice. To provide you the Voice Recognition feature, some interactive voice commands may be transmitted (along with information about your device, including device identifiers) to a third-party service provider (currently, Nuance Communications, Inc.) that converts your interactive voice commands to text and to the extent necessary to provide the Voice Recognition features to you.”
The next time you call your bank or credit card company to check on your account and you say your social security number for verification, account numbers, birth dates, verbal passwords could be recorded and heard by your TV and stored elsewhere. The Internet of Things is so cool, convenient, life changing to have all this connectivity and functionality into your toys to your coffee maker. The trade off is you have no idea on what data about you is being sent and where it’s being sent to and for what purpose.
This needs to stop and these companies need to be held to the same regulatory requirements, audits and certifications that industry focused organizations are. In my opinion Nuance should be held accountable to HIPAA, FFIEC, PCI and FISMA as their customers could speak their banking, credit card, and health information near their smart TV and if Nuance is indeed getting the recordings that is the same as the data record. They would need to have all the encryption, access controls, access auditing, destruction process, retention archival processes, notifications, etc… as the aforementioned regulations dictate.
In the near future you will see a huge, public court case that the only evidence came from a residual recording of a voice or image from an IOT device that the owner had no idea was going on. Unfortunately it’s going to take something large, public, and bad to get the public to realize what’s really going on.
End of line.
Binary Blogger has spent 20 years in the Information Security space currently providing security solutions and evangelism to clients. From early web application programming, system administration, senior management to enterprise consulting I provide practical security analysis and solutions to help companies and individuals figure out HOW to be secure every day.