I’ll bet $30 and a rack of the best beer you have in your fridge that your home network consists of the old router-and-Wi-Fi combo from your internet service provider. It has four ports on the back of it and some coax cable running into it. You might use one port for your PS5 that you beat up some kid at Best Buy for, and everything else is run off Wi-Fi. If you are reallytech savvy, you have figured out how to change the name of your LAN to “FBI Surveillance Van #3” to scare the neighbors and give yourself a hearty chuckle when you connect to it.
I’ll also bet that at some point, you purchased a smart device from Amazon or Google. (If you bought the Apple one, you must be extra proud of how your Prius is saving the world.) You probably slapped that smart device on the same network that you use to play videogames, to check your bank account, to watch Garand Thumb and to do certain “special activities” on too. You have also heard the talk about how the device is pretty much a wiretap, so you bought a VPN subscription from an ad on your favorite podcast to solve the problem. “No way Jeff Bezos is spyin’ on me,” you say.
So, anyway, let’s cut to the chase: They are spying on you. Your VPN subscription may make you feel better, but it isn’t doing anything to stop information from being collected on you, and what’s more, you paid them for their efforts. If you are like millions of other Americans operating from a flat network at home, that little wiretap is able to communicate with all your devices and might also be sniffing out your traffic for various reasons. This means your shopping habits, day-to-day routines and even your “special” habits are being recorded.
Amazon mandates on their developers’ page that Alexa Voice Service (AVS) mustuse TLS 1.2, which means that anything that it sends home to Uncle Jeff is encrypted, and you can’t know what it is. This is good if you order something that requires your personal and payment information. This is terrible if you are trying to figure out exactly what the Alexa device is telling the remote services it uses to function. It is also terrible because the moment you send data over the device, you are no longer in control of it on your own home network.
AV-TEST, a German-based cybersecurity organization that independently tests and evaluates cybersecurity software, ran an experiment on an Amazon Echo Dot in 2017. They tested when the Echo Dot sent packets over a network and what triggered the transmission by putting an Echo Dot in a quiet room with two people. After 8 seconds of silence, they used the wake-word “Alexa” and asked the Echo Dot what time it was. The packet capture showed zero transmitted bytes up until the wake-word was said 9 seconds in. After the Echo Dot answered, they fed it another 8 seconds of silence and then used the wake-word “Alexa” again and quoted Jean-Luc Picard: “Tea, Earl Grey, hot.” Again, there was no traffic over the net during that silence until the wake-word was said and the Echo Dot fed Amazon’s servers the input and fetched the output.
After the Echo Dot responded, the two people in the room held a normal conversation for about half a minute, ensuring that the conversation didn’t include the wake-word “Alexa.” During that conversation, the Echo Dot transmitted zero bytes over the network. Likewise, it didn’t contact its home servers unless the wake-word was said.
Our corporate overlords aren’t off the hook yet. AV-TEST explicitly said that because it was calling home using encryption, they had no idea what was being transmitted to begin with and could only make assumptions. That’s not to say that the Echo Dot didn’t totally listen in on the conversation and then report back to its home servers the next time its wake-word was said and it had permission to transmit. The only entity that has the private key for the encryption is Amazon. The experiment didn’t mention if the conversation was held in German or English or if words that Amazon finds unsavory (since Amazon is purging the site of specific political points of view) were said.
The best answer to the question, “Is my smart device spying on me in my own home?” is that it is difficult to be sure, which is terrifying. However, it’s not all over for your sense of privacy for money or marital purposes if you must still have the wiretap in the house. However, let’s talk mitigation. The first thing you can and should do for all your insecure “Internet of Things” devices is not to have them on the same network that you do important things on. Your most basic router-and-Wi-Fi combo from your ISP can isolate hosts, which prevents each of your devices on your network from talking to each other. This will take away some of the functionality that makes your IoT devices appealing, but at least the risk of Alexa spying on your network traffic is mitigated.
Your network can also be segmented with one of two concepts that will require some research but that will go a long way toward protecting your privacy. These concepts are the VLAN and subnetting. A VLAN, or virtual local area network, is a special switch on your network that creates a virtual network that groups specified devices into their own segments. VLANs are a great way to keep different devices on your home network from talking to each other while still retaining full usability of your devices.
Subnetting, on the other hand, essentially splits your current network into different portions that are separate from each other using the concept of a “subnet mask.” For instance, your home setup can probably accommodate one subnet of 255.255.255.0 or two subnets of 255.255.255.128 that are segmented from each other (these subnet mask numbers define the range of IP addresses that can be used in a network). Learning how to shape traffic with a firewall is useful as well, and even your ISP router-Wi-Fi combo comes with a firewall. YouTube has plenty of free information for beginners on all these concepts and how to use them. The only investment you’ll need is time and patience.
Preparedness and resilience are virtues, given the tumultuousness of this new decade. A lot of effort and money are directed by people toward training, firearms and equipment, which can separate the survivors from the casualties during physical confrontations, but we often completely ignore the massive communication, commercial and entertainment media that virtually connect us to the world.
However, we do have an increasing awareness of the rules of digital engagement: Your information is a commodity, and if you are of a certain political persuasion, you may be a target to be neutralized by the tech companies that might hate you. And this doesn’t even account for the handful of countries that want to use this country’s own internet against it. Learning how your home network works and learning how to secure it are the first steps on the path to digital preparedness and resilience in the 21st century.
In the 1950s, Americans built bomb shelters to protect their families against a Soviet threat. Today, you can prepare against an online attack by learning to isolate and protect your home networks instead of depending on slogans and buzzwords that you don’t even understand to protect you.