Privacy Issues in Voice Assistant Ecosystems

TL;DR

This paper examines privacy vulnerabilities in voice assistant ecosystems by analyzing data storage points and permissions, highlighting potential security risks for user personal data.

Contribution

It provides a detailed analysis of personal data artifacts and permissions in popular voice assistants using IoT forensic methods and testbed experiments.

Findings

Identification of data storage locations within ecosystems

Comparison of app permissions before installation

Highlighting privacy risks and attack points

Abstract

Voice assistants have become quite popular lately while in parallel they are an important part of smarthome systems. Through their voice assistants, users can perform various tasks, control other devices and enjoy third party services. The assistants are part of a wider ecosystem. Their function relies on the users voice commands, received through original voice assistant devices or companion applications for smartphones and tablets, which are then sent through the internet to the vendor cloud services and are translated into commands. These commands are then transferred to other applications and services. As this huge volume of data, and mainly personal data of the user, moves around the voice assistant ecosystem, there are several places where personal data is temporarily or permanently stored and thus it is easy for a cyber attacker to tamper with this data, bringing forward major privacy issues. In our work we present the types and location of such personal data artifacts within the ecosystems of three popular voice assistants, after having set up our own testbed, and using IoT forensic procedures. Our privacy evaluation includes the companion apps of the assistants, as we also compare the permissions they require before their installation on an Android device.