General security

The Virtual Personal Assistant and Its Security Issues

Introduction

Our past series of articles have examined the various Security related surrounding the use of Smartphone based technologies. We did not examine just the general attacks and threats, but rather, we took each system and examined from the three major types of Smartphones, which are as follows:

The Samsung wireless devices, and the Android Operating System
The iPhone, and the iOS Operating System
The Windows Mobile devices and the Windows 10 Operating Systems

Each device has its own unique set of Security vulnerabilities with it. For example, with the Verizon based devices have been especially prone to the holes and gaps in the Knox System (this is used to protect the personal information and data in the Smartphone).

Regarding the iPhone, the main issue Security issue here is installing rogue mobile apps onto an end user's Smartphone without them even knowing that it has happened. There are a number of ways of in which this can be done, such as compromising the Digital Certificates in the App Store.

With regards to the Windows mobile, it is prone to just about any type or kind of Security threat, as it uses the same version of the Windows 10 Operating System just like the workstation and personal computer versions of it. As it was also reviewed, the Cyber attacker knows that the Smartphone has become an extension of both the personal and professional lives of individuals.

So, for instance, if our Smartphone was ever disabled, hijacked, lost, or stolen in any way, a sheer feeling of helplessness and paralysis would soon ensue upon us. Thus, the sophisticated Cyber attacker of today not only knows the technical weak spots of the Smartphone, but he or she also knows the emotional pain points which can cause the greatest amount of damage as well, in which the net effects could be even much worse.

Thus, it is important to keep mind that at this rate, the Smartphone is going to continue to evolve at even greater lengths to continue to be that proverbial "leash on life," with the many other new applications that are coming out. One such example of this is the "Virtual Private Assistant," also known as the "VPA" for short, and is the focal point of this article.

What Is a Virtual Personal Assistant?

Have you ever noticed anybody talk into their Smartphone, such as asking a particular question? Alternatively, have you even noticed a Smartphone talking to an individual and giving exact directions on how to get from Point A to Point B?

Well, this is a Virtual Personal Assistant which is being used. Regarding the latter, probably the one that is most widely used is that of Google Maps. From the mobile app, you can enter your destination address (it knows your starting point because of the GPS technology which is being used on the Smartphone). Every step of the way, it gives, or literally "talks" your way in the best route possible to get to your destination.

In technical terms, a Virtual Personal Assistant can be defined as follows:

"An intelligent virtual assistant is an engineered entity residing in software that interfaces with humans in a human way. This technology incorporates elements of interactive voice response and other modern artificial intelligence projects to deliver full-fledged "virtual identities" that converse with users." (SOURCE: 1).

Thus, as you can see from the definition, there are two defining characteristics of a Virtual Private Assistant:

It is interactive with the end user (either via voice or other form of messaging system)
It makes use of what is known as "Artificial Intelligence" (this is software which tries to mimic the thought process of the human brain).

So, back to our example of Google Maps, it fulfills the "interactive" criteria, because as mentioned, it can talk directly to the end user directly from the mobile app. Regarding the Artificial Intelligence component, through the complex mathematical algorithms that it possesses, it "mimics" the human thought process by actually looking at a map and determining the most optimal and direct way in getting from Point A to Point B.

There are other tools which are also being used to make the Virtual Personal Assistant even more "intelligent" than ever before. For example, the use of Neural Networks, and Machine Learning are being incorporated as well to make the mathematical algorithms of the Virtual Private Assistant have the deep ability to learn, reason, and understand the needs of the end user on a real-time basis, 24 X 7 X 365.

One of the main catalysts for the explosion of the adoption and use of Virtual Personal Assistants has been the heavy investments being into them from the tech giants of Microsoft, Oracle, Google, Cisco Systems, etc.

Meaning, they are not just simply an add-on which is made as an optional service that the individual can just merely use, they are now literally becoming tangible products which the end user expects and even demands to see on their Smartphone of today.

The Virtual Personal Assistant Brands

As mentioned, it is not just Google Maps which is the only Virtual Personal Assistant that is out there. There are many others which are still evolving, and in this section, we detail some of the more widely used VPAs.

It is important to note at this point that these VPAs are designed to provide what is known as an "all encompassing" experience for the end user. In other words, they are not designed just to serve one purpose as Google Maps does, but rather they have innovated to provide a holistic experience for the end user, once again, in both their personal and professional lives.

Also, as these VPAs are designed to evolve further and grow with the Internet of Things, which will be covered in more detail in a future article. So far, here are the major players in the VPA market:

Siri:

This VPA has been developed and implemented by Apple primarily for all of the iPhone devices. It has also recently been deployed on the Apple TV and Apple Watch as well. It can engage the end user in meaningful conversations with regards to helping the end user decide upon what the next course of action should be. Its greatest strength is that through its Artificial Intelligence algorithms, it can understand human language at a deep level. Its main drawback is that it cannot interoperate with other mobile apps on the iPhone. The replacement for Siri is known as "Viv," and it is purported that it will be able to answer very complex questions which are posed to it by the end user.
Google Now:

This VPA has been designed specifically for the Android Operating System and is meant to work primarily on the Samsung wireless devices. It is deemed to be more sophisticated than Siri regarding the robustness of the mathematical algorithms which are used. For example, it can harvest through your E-Mail inbox and your Web Browsing history to help the end user in more complex situations. It also keeps detail about your personal information and data, and to a certain degree, it can even communicate with other mobile apps which also reside on the Samsung wireless devices. In this regard, its higher level of sophistication is also deemed to be its greatest disadvantage, as many end users have complained that it violates their privacy rights.
Microsoft Cortana:

This VPA has been created not only for the Windows 10 Operating System but also for the Windows Mobile devices as well. However, interestingly enough, it can also to a certain degree even function on the iOS and Android Operating Systems as well. Cortana has been designed more to interact with the personal life of the end user, by setting up reminders and other types of calendar appointments, as well as answering general kinds of questions. Its greatest strengths are that it can interoperate quite effectively with other Windows-based mobile apps, and can even function with Skype as well. However, its greatest weakness is that it is much less sophisticated that Siri or Google Now, and in fact, is the least used feature on the Windows 10 Operating System.

The Security Issues Surrounding a Virtual Personal Assistant

[download]Download the BEST PRACTICES FOR DEVELOPING AN ENGAGING SECURITY AWARENESS PROGRAM whitepaper[/download]

Despite the advantages that a Virtual Personal Assistant brings to an end user, or even for a business or a corporation, there are serious Security issues that are associated with them. Although the advent of a VPA is not a totally new concept, its huge demand and growth into the Smartphone is still being embraced.

This means that the assessing the security risks and threats which are posed to the different VPA applications are still being ascertained, and its magnitude of impact is still being quantified.

One of the first Security issues that comes to mind is that of privacy. For example, as we communicate with either Siri or Cortana, the dialogue can be still be considered as one sided.

This simply means that it is the end user who is engaging in most of the dialogue, and it is the Virtual Personal Assistant who is merely responding with the needed answers to the queries which are being asked of it.

However, it is very important to keep in mind at this point that it is not the mobile app upon which the VPA resides on which is answering to you -rather your conversations and queries are being transmitted back to the corporate headquarters of either Apple, Google, or Microsoft. In turn, it is the servers there which are feeding the answers back to the mobile app which is communicating with you.

So, the question remains is how secure these lines of communications between the mobile app and the transmissions sent back to the corporate headquarters and vice versa are? True, these companies may merely state that the lines of communications are indeed secure, but are they really?

Up to this point, there have been no known studies which have been conducted to examine the depth of Security of these particular lines of communications.

It is quite possible that they are totally unencrypted, and as a result, they could be a prime target for an Eavesdropping Attack by a Cyber attacker. It is also equally important to note that these servers may not necessarily reside exclusively here in the United States, where there is some legal protection afforded to citizens of wiretapping by the Federal Government or any other private third party.

These servers are very likely housed in those countries (given the fact that Google, Microsoft, and Apple are all multinational companies) where these protective mechanisms are not in place.

So, for example, although you might be having a conversation with Siri or Cortana here in the United States, there is a good chance that those conversations are then being transmitted back to the servers which reside in a country like Russia or China. As a result, there is a much higher probability that your conversations could very well be wiretapped, and being listed into.

Because of this, a virtual audit trail of your conversations is literally being built, in a manner similar to that of enabling cookies on your Web browser. To make Security matters even more complex, the conversations that you are having with either Siri or Cortana are actually being recorded and stored.

Apple has a retention policy of at least 18 months, the timeframe for Microsoft and Google have not yet been disclosed to the public. As a result, these stored conversations could be "prey" for the Cyber attacker.

Conclusions

In summary, this article has examined what a Virtual Personal Assistant is, and the major functionalities of the leading VPA brands, from the likes of Microsoft, Google, and Apple. As it was also reviewed, Virtual Personal Assistants are also "intelligent."

They are also termed as "Intelligent Virtual Assistants" because they actually use some sort of Artificial Intelligence (AI) embedded deep within them to create a robust, timely, and equally important, an accurate response to the end user's particular query.

To be truly effective to the end user, these Virtual Personal Assistants try to get to "know" you as much as possible. To do this, they need to learn more about your particular habits and try to extrapolate and predict future queries.

In this regard, the use of Machine Learning as well as Neural Network technology has also been embedded into these mobile app packages.

It is widely expected that the demand for and the growth of Virtual Personal Assistants will only proliferate into the future (the exact trends and predictions for VPAs will be examined in a future article).

Part of the reason for this explosion are the heavy investments which are being made into them from the leading IT vendors, to bring their customers a true, all-encompassing life experience when it comes to using the VPA for just about any task related matter at hand.

However, despite the many advantages that a VPA brings to the table, there are also inherent Security risks associated with them as well, as it was reviewed in the last part of this article. These include insecure lines of communications and the recording of conversations by the Vendor who developed the VPA.

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

Get Your Plan

Our next article will examine in more detail the other Security risks which are posed by using a Virtual Personal Assistant.

Resources

Posted: June 1, 2017

Ravi Das

View Profile

Ravi is a Business Development Specialist for BiometricNews.Net, Inc., a technical communications and content marketing firm based out of Chicago, IL. The business was started in 2009, and has clients all over the world. Ravi’s primary area of expertise is Biometrics. In this regard, he has written and published two books through CRC Press. He is also a regular columnist for the Journal of Documents and Identity, a leading security publication based out of Amsterdam.

You can visit the company’s website at www.biometricnews.net (or http://biometricnews.blog/); and contact Ravi at ravi.das@biometricnews.net.