Answered

Disable "listening" services like Alexa?

  • 4 October 2017
  • 16 replies
  • 18839 views

I hope Sonos provides some way to completely disable Alexa or any other listening-servie on its hardware and software if they are going the voice-command route. I'm extremely security and privacy conscious, and have to be in my work. I can't understand why anyone would want a device "listening" to everything said in the home or office setting. Trusting devices like that suggests a lot more faith and trust in companies and government than I have, despite assurances that it only listens for the key phrase to activate. It's a sure bet there's either a back door in it, or someone will hack it to eavesdrop on everything.
icon

Best answer by Ryan S 4 October 2017, 21:48

View original

This topic has been closed for further comments. You can use the search bar to find a similar topic, or create a new one by clicking Create Topic at the top of the page.

16 replies

My advice then would be not to buy a Sonos One or Alexa device
Userlevel 7
Badge +26
Quoted from my announcement post here:

Security and Microphones
Your security and data are very important to us, as we said in our blog here. With Sonos One we are keeping to that.

Sonos One is designed with extra security: An illuminated LED indicator light ensures you always know when your speaker’s microphones are active or turned off. You can tap on the microphone symbol to enable or disable the microphones, the light is always tied to the microphone’s status. For security and privacy reasons, it’s impossible to disable the LED when the microphones are turned on.


Simply put, there's an LED that will be on if your microphone is on. There isn't a workaround or way to separate them without cracking open the case or breaking the LED.
Userlevel 5
Badge +11
It's a sure bet there's either a back door in it, or someone will hack it to eavesdrop on everything.

I doubt I can change your mind, but I would suggest that we often have an inflated value of our own privacy. It's a relatively high effort, low reward way to compromise someone's personal details.

You may also find the privacy policy to be of benefit:
http://www.sonos.com/en-us/legal/privacy
Quoted from my announcement post here:

Security and Microphones
Your security and data are very important to us, as we said in our blog here. With Sonos One we are keeping to that.

Sonos One is designed with extra security: An illuminated LED indicator light ensures you always know when your speaker’s microphones are active or turned off. You can tap on the microphone symbol to enable or disable the microphones, the light is always tied to the microphone’s status. For security and privacy reasons, it’s impossible to disable the LED when the microphones are turned on.


Simply put, there's an LED that will be on if your microphone is on. There isn't a workaround or way to separate them without cracking open the case or breaking the LED.


Thanks for your reply and for pointing that out. It's good to know that the mic can be switched off. I know you take security seriously, and didn't mean to imply otherwise. I have less faith in Amazon & Google, for instance, and they are also larger profile targets.
It's a sure bet there's either a back door in it, or someone will hack it to eavesdrop on everything.

I doubt I can change your mind, but I would suggest that we often have an inflated value of our own privacy. It's a relatively high effort, low reward way to compromise someone's personal details.

You may also find the privacy policy to be of benefit:
http://www.sonos.com/en-us/legal/privacy


Thanks for your comment, and let me say I TRY to be open to changing my mind due to a superior argument or if the weight of evidence overrules my current position. But we all tend to be steadfastly rigid in our views once we've developed an informed opinion. That said, I hope this isn't too much of a response, but here goes.

So would you mind leaving your curtains open tonight so I can see what you are doing? And while you're at it can I have your credit card bills from last year? Maybe you do value your privacy.

I have read a great deal about this issue, not only of Alexa but the entire Internet of Things security issues. It's still early in the game to know exactly what can happen technically and how the laws will adapt to it. And it's not just a kid trying to hack you from his bedroom. There's government surveillance (ours and others), corporate espionage, and major criminal uses for stealing a listen. It may be high effort, low reward just to get your personal information, but it's a major reward if they suddenly can get the information en masse. [e.g. Equifax, Verizon, et al] And let me know how you feel about it after someone's stolen your identity.

Many government contractors with high security clearances forbid employees even bringing a personal cellphone into the building. They probably also have a problem with Alexa-capable devices being in the offices.

If you want to do a little research on opinions, here are a few to start with:

https://www.aclu.org/blog/privacy-technology/privacy-threat-always-microphones-amazon-echo
https://lawyerist.com/amazon-echo-useful-risky-lawyers/
https://www.kaspersky.com/blog/voice-recognition-threats/14134/
https://www.scu.edu/ethics/focus-areas/internet-ethics/resources/why-we-care-about-privacy/
https://www.wired.com/2011/06/why-privacy-matters-even-if-you-have-nothing-to-hide/
I absolutely do not want Alexis or any similar device. I did not download the update being offered now. I like my Sonos exactly like it is and it works great with my Android. If I don't have a choice to avoid Alexis type devices comingled with Sonos. I will make no more investments in Sonos products. I was concerned to read some place that Sonos might be uniting with Nexia. Nexia runs my thermostat, but can provide security.
I absolutely do not want Alexis or any similar device. I did not download the update being offered now. I like my Sonos exactly like it is and it works great with my Android. If I don't have a choice to avoid Alexis type devices comingled with Sonos. I will make no more investments in Sonos products. I was concerned to read some place that Sonos might be uniting with Nexia. Nexia runs my thermostat, but can provide security.

Oh give me a frigging break. Of course you "have a choice". If you never buy an Alexa device, or even if you do and never activate the Sonos skill, there is absolutely no way to have "Alexis (sic) type devices comingled (sic) with Sonos". So step back from the ledge and do a little research.
jgatie, you didn't get it. I suppose I was not clear enough. It is about the update. It is not clear whether those who don't have Alexis or not looking to buy it should download the current update. Information with the update indicates that a portion of it at least is beta. Beta updates sometimes will mess up a lot of things. I did not download the update, because it is not clear to me that I should. If you don't have some civil reply, why bother?
Userlevel 5
Badge +11
But we all tend to be steadfastly rigid in our views once we've developed an informed opinion.

It doesn't even take being informed for humans to be rigid unfortunately. Not a shot at you, that's our natural bias at play.

So would you mind leaving your curtains open tonight so I can see what you are doing? And while you're at it can I have your credit card bills from last year? Maybe you do value your privacy.

These are bad analogies, and I never said I don't value privacy. I'll explain as we go, but the crux is that you're still overvaluing what "average" people like you and I are worth to a "hacker".

I have read a great deal about this issue, not only of Alexa but the entire Internet of Things security issues

It's always good to be informed. Enterprise security is part of my job, and accordingly I'm well-versed in it.

And it's not just a kid trying to hack you from his bedroom.

That's a tired cliche; you're right.

There's government surveillance (ours and others), corporate espionage, and major criminal uses for stealing a listen.

Those are more realistic threats, but we're crossing a boundary that is important. I'll follow up on it next.

It may be high effort, low reward just to get your personal information, but it's a major reward if they suddenly can get the information en masse.

You may have thought I meant that all attempts at stealing personal information were this way, and I should have been more clear. Stealing your "voice data" is perhaps the least efficient way to compromise you that I've ever heard of. We could quibble about video, but I'd argue that it might be worth so much more that it balances out the cost.

It's high risk, low reward because you have to dedicate a considerable amount of compute to parse these conversations. Alexa triggers off a keyword for a reason. It's not reasonable for it to process everything you say. If the idea is that "bad guys" are going to dedicate that time to an "average" person then I can't agree. And in this case we're talking about the ridiculous amount of processing required to sift the data, not the task of actually compromising your system, which some of the largest IT companies in the world are heavily invested in protecting.

Many government contractors with high security clearances forbid employees even bringing a personal cellphone into the building. They probably also have a problem with Alexa-capable devices being in the offices.

Distinctions. Government contractors do this because these people are *good* targets. It's worth noting that you should be dramatically more concerned about someone "hacking" your cell phone than your Sonos gear though. It's considerably easier, and you can cast a wide net with effectively low effort.

We're talking about two specific points here. It's your value as a target, and the value of the information that can be gleaned from you. With "average" people the cost to compromise them on the hope that something useful can be gathered has to be low, because the actual value is low. Literally, "hackers" sell everything required to steal someone's identity for less than $20 USD. So, no one is going to risk their Alexa backdoor to listen to Average Joe's conversations in the hope that he reads his credit card information out loud.

At the end of the day it's not that someone *couldn't* compromise you in this way. It's that there are so, so many more ways to do it effectively that it's almost never feasible.

If I don't have a choice to avoid Alexis type devices comingled with Sonos. I will make no more investments in Sonos products.
Alexa. You clearly haven't done much reading on the subject, so let me help you relax. The software update will expose you to no new security concerns unless you choose to pair it with Alexa. I've explained above why those aren't something you should be overly worried about, but it's your choice.

I was concerned to read some place that Sonos might be uniting with Nexia. Nexia runs my thermostat, but can provide security.

I don't know where you read that or why they would "unite" with a thermostat company. It seems counter intuitive with their actual plan to integrate with the key digital assistants. I would expect any connectivity to be done through Alexa.

On the second point, I'm not sure if you meant to say "can't". That would be more reasonable. Smart thermostats? These things are constantly being "hacked". Ask Target. Even Nexia themselves had to be informed of dumb vulnerabilities last year.

IoT exposes us all to new risks because you have company's that don't prioritize security, and you have end users that don't care to understand it. That's reality. For us it's about picking acceptable risk for your benefit. I'm not saying ditch them thermostat, but you're lulling yourself into a false sense of security if you think it's better than an Echo or Google Home.
Userlevel 5
Badge +11
Information with the update indicates that a portion of it at least is beta. Beta updates sometimes will mess up a lot of things. I did not download the update, because it is not clear to me that I should.
It does not say it's a beta. The update is a full release. The Amazon Alexa skill is in beta. They are not the same, so you can download it without that concern.
It states: IN THIS UPDATE: Your home Sound Systme is always improving. Now enjoy easier room control, faster time to your favorite music and simpler navigation. (I get that) Then, it states: AND currently in Open Beta in the US, UK and Germany, our CURRENT UPDATE combines the great sound and multi-room listening of Sonos with the easy-to-use voice service of Amazon Alexa.
jgatie, you didn't get it. I suppose I was not clear enough. It is about the update. It is not clear whether those who don't have Alexis or not looking to buy it should download the current update. Information with the update indicates that a portion of it at least is beta. Beta updates sometimes will mess up a lot of things. I did not download the update, because it is not clear to me that I should. If you don't have some civil reply, why bother?

It's "Alexa".

The current Sonos update is a full general release. The Alexa skill that enables Alexa control of Sonos, and is present only on the Alexa devices, is the beta. If you never enable the Alexa skill on a Alexa device, you are not running any portion of the beta.
It states: IN THIS UPDATE: Your home Sound Systme is always improving. Now enjoy easier room control, faster time to your favorite music and simpler navigation. (I get that) Then, it states: AND currently in Open Beta in the US, UK and Germany, our CURRENT UPDATE combines the great sound and multi-room listening of Sonos with the easy-to-use voice service of Amazon Alexa.

Yes, the Alexa skill is in open beta. The Sonos is a general release.

Just a little info about Sonos public betas: If the Sonos app was in beta, you would not have access to it unless you joined the beta team. You also could not download a version from the Apple Store or Google Play, it would have to come from Sonos's beta site, and in the case of the iOS app it would not be available at all because Apple does not allow public betas for iOS.
Thank you. I got it. I just have very careful when it sounds like I might be getting something that I don't want now or that could be a change that could undo my current perfectly working Sonos. We bought it for Music and radio. At our age we do not want to get caught talking to devices sitting in the room. 🙂
Userlevel 7
Badge +22
THE new software does not enable voice control via the software. It allows you if and only if you have an alexa device to link it to your Sonos account if you so chose to provide a away to have alexa push music to your Sonos system. Downloading the software and installing it in no way provides some kind of voice control in app or via the speaker itself. If you have no alexa devices over privacy concerns you don’t enable the skill within alexa and Sonos will have no voice control. Simple as that. There is no reason not to install the new version because of fears regarding voice control privacy.
Skelton:

(I won't bother quoting the whole message) Thanks for your carefully thought out, thorough and considerate reply. You made some very, very valid points that I had not considered, at least not in the way you described them. And you did it without taking offense at what I wrote and retaliating. It's easy to misunderstand in forum posts, and easy to over-react in what we say. I think I assumed you hadn't thought it through. Again, many thanks.

One point of clarification on my points...since I've never owned an Alexa product, I was not aware of how you have to enable a particular skill, nor even that term. That's good to know.

Oops. Maybe my mind is changing.... Look out!!