Threat Analysis of Smart Home Assistants Involving Novel Acoustic Based Attack-Vectors

Sammanfattning: Background. Smart home assistants are becoming more common in our homes. Often taking the form of a speaker, these devices enable communication via voice commands. Through this communication channel, users can for example order a pizza, check the weather, or call a taxi. When a voice command is given to the assistant, the command is sent to cloud services over the Internet, enabling a multitude of functions associated with risks regarding security and privacy. Furthermore, with an always active Internet connection, smart home assistants are a part of the Internet of Things, a type of historically not secure devices. Therefore, it is crucial to understand the security situation and the risks that a smart home assistant brings with it. Objectives. This thesis aims to investigate and compile threats towards smart home assistants in a home environment. Such a compilation could be used as a foundation during the creation of a formal model for securing smart home assistants and other devices with similar properties. Methods. Through literature studies and threat modelling, current vulnerabilities towards smart home assistants and systems with similar properties were found and compiled. A few  vulnerabilities were tested against two smart home assistants through experiments to verify which vulnerabilities are present in a home environment. Finally, methods for the prevention and protection of the vulnerabilities were found and compiled. Results. Overall, 27 vulnerabilities towards smart home assistants and 12 towards similar systems were found and identified. The majority of the found vulnerabilities focus on exploiting the voice interface. In total, 27 methods to prevent vulnerabilities in smart home assistants or similar systems were found and compiled. Eleven of the found vulnerabilities did not have any reported protection methods. Finally, we performed one experiment consisting of four attacks against two smart home assistants with mixed results; one attack was not successful, while the others were either completely or partially successful in exploiting the target vulnerabilities. Conclusions. We conclude that vulnerabilities exist for smart home assistants and similar systems. The vulnerabilities differ in execution difficulty and impact. However, we consider smart home assistants safe enough to usage with the accompanying protection methods activated.