Hacking Intelligent Personal Assistants (IPAs)

August 25, 2017 by Infosec

We are at a point in history where progress in our technology is far outpacing our capacity to cope with it. This is typified by our relationship with intelligent personal assistants (IPAs) like Apple’s Siri and Microsoft’s Cortana. A recent study conducted by Creative Strategies found something very interesting: while 98% of American iPhone users have tried Siri at some point in time, only 30% admit to using it regularly. The rest of the 70% reported that they use Siri ‘only rarely or sometimes.’ Ok Google didn’t fare much better, as users said they felt awkward using these voice-recognition tools in public spaces. These numbers don’t paint a pretty picture for companies like Apple, Microsoft, Google, and Amazon. And yet they are eager to flex their technological muscles in this race.

This is because these tech goliaths realize that social norms are bound to evolve, and user convenience will always trump temporary social awkwardness. The opportunity cost is simply too big; the machine intelligence market is expected to grow to a whopping $16 billion by 2022, and IPAs are at its forefront. In the past year alone, we saw major strides towards the prevalence of IPAs. Siri made its jump over to the MacBook, Cortana was installed on over 350 million active devices by virtue of Windows 10, and Amazon’s home automation hub Echo, powered by Alexa, doubled its sales over the previous year.

But as with any new technology, risks are part and parcel of the package. IPAs, while giving you incredible ease of access to information and control of your environment, can also be used to violate your privacy. In fact, the reason that these tools are able to tailor themselves to any given person is precisely by gathering as much data about them as possible. And it is very possible that this data gets into the wrong set of hands.

This article is dedicated to discussing the ways in which IPAs are generally hacked and the consequences of those hacks. We will also touch on some basic safety precautions that you should take in order to keep potential hackers at bay.

How Are IPAs Hacked?

The not-so-old adage, “anything that is connected to the internet can be hacked,” is still very much valid. And all IPAs are always online; the information needs to be synched with the cloud so that your personal settings are associated with your account and not just a single device. This presents challenges to keeping your data safe and could be exploited in the following ways:

  1. The most common IPA hack doesn’t even require an internet connection. Siri is activated on the lock screen, by default on every iPhone it comes with. The same goes for Google Now on Android devices. So, if an unwarranted party somehow gets a hold of your phone, they can access your sensitive data without even knowing your phone’s password or login pattern. It can simply ask Siri or Google Now about your phonebook, call log, social media, etc. While being fairly common, this security breach isn’t as egregious as some of the other hacks, as only people close to you can get physical access to your phone. It is also the most easily preventable hack: just take better care of your phone and don’t give it to people you don’t trust.
  2. Third-party applications can also use IPAs for malevolent purposes, as they can provide a gateway to your private data. Of course, we should note that most third-party applications provide useful functionality on top of these IPAs, like using Siri to call an Uber or write a text on WhatsApp. And, while Microsoft hasn’t enabled Cortana to provide similar utility – at least not yet – hackers have already developed tools to enhance Cortana’s locus of control. Though it does little more than merely add more voice commands to Cortana, you can rest assured that third-party involvement is only going to multiply. But not every application on the App Store or Play Store can guarantee security. On top of that, it isn’t hard at all to develop applications that can take advantage of IPAs. For instance, back in 2014, a group of college freshmen from the University of Pennsylvania developed a Siri-driven app in a hackathon. The app, called GoogolPlex, was programmed to launch instead of Siri and override its functions. It did much more than vanilla Siri: you could use it manipulate room temperature if you had Nest, as well as open your Tesla’s doors. And if a group of college freshmen can achieve this much in a two-day hackathon, just imagine the havoc someone with the sole intent of malice could wreak.
  3. IPAs are also vulnerable to more sophisticated attacks. Back in 2015, computer scientists at France’s IT security agency ANSSI discovered a neat loophole in Siri’s voice recognition mechanism. The group used radio waves, in tandem with a pair of headphones and a microphone to replicate voice commands to Siri. It was also confirmed that this hack works on Google Now as well. There was at least one rigid limitation on the conditions of the hack: the victim’s phone had to be less than 16 feet away from the generation point of the radio wave signal. But the killer punch was that your phone could be hacked silently while it’s in your front pocket. Even the toolkit needed for the hack wasn’t hard to acquire, as all that was used was a laptop, a copy of the free software GNU Radio, a radio, antenna, and an amplifier.

The Consequences

IPA hacks can have devastating consequences for user privacy, as they provide access points to all avenues where your data resides; i.e., social media, browser history, application history, etc. Siri and Google Now can be made to spill out your call history and phone number and even send text messages. IPAs driving home automation like Alexa are susceptible to a different kind of nuisance. It won’t be an exaggeration to speculate that every Amazon Echo owner has at least once entertained the idea of their ”smart” home suddenly being taken over by someone else: lights switching on and off, the fire alarm going on, and the like. And, while it hasn’t happened yet, at least on a mass scale, the more people start depending entirely on Alexa on a daily basis, the notion of hacking it becomes more incentivized. Microsoft’s Cortana already does this if you’re using it on a Windows Phone, through an app called INSTEON. Not for much longer though, as Windows Phone is a dying breed, if not dead already.

How to Keep Yourself Safe

  1. For starters, do not let strangers handle your smart devices. This is a more general precaution, and applies to anything from your phone, smart speaker to your laptop. There is a good reason why social engineering is the most popular method of hacking—because it’s so easy.
  2. iPhone and Android users should first disable Siri and Google Now respectively on the lock screen. This prevents hackers from intruding on your data without knowing your passwords. Google Now is actually disabled on most new Android devices, though your mileage may vary due to the virtually countless variants of the operating system.
  3. Smartphone users can actually teach their iOS or Android devices to respond only to their voice. Both Siri and Google Now come with a feature that lets you teach them the owner’s voice. Though not the most secure way to log in, something even Google agrees with, it is still much better than your IPA responding to generic voice commands.
  4. Only use trusted third-party applications. You should steer clear of even remotely suspicious applications promising to making your life better if you give them access to your IPA. The risks are of astronomical magnitude for anyone who values their privacy.


IPAs are going to have a magnified role in millions of lives, if they don’t have already. With that comes the interest of hackers and, with time, they will become more literate with this relatively new technology, resulting in more sophisticated hacks. The developers of IPAs are doing everything they can on their end to keep your data secure, with techniques like end-to-end encryption, safe cloud storage, and user authentication. But it also falls upon users themselves to make sure any potential data leak is plugged right away.

Please check out SecurityIQ, sign up for free, and start using our interactive AwareEd Security Awareness Modules to increase your online security savvy!

Posted: August 25, 2017
View Profile