HIT Think

How hackers increasingly can target the data of homebound patients

With the rising number of homebound healthcare patients using technology to communicate with caregivers, family and others, comes new data threats from hackers targeting patient data.

In a new blog post, I’ve assessed the data security threat of hackers obtaining sensitive data through popular home smart assistant technologies such as Alexa and Google Home, from which hackers can launch attacks.

Alexa-photo2-CROP.jpg
David Limp, senior vice president of devices and services at Amazon.com Inc., speaks as the new Fire TV, from left, Echo, and Echo Plus devices sit on display during the company's product reveal launch event in downtown Seattle, Washington, U.S., on Wednesday, Sept. 27, 2017. Amazon unveiled a smaller, cheaper version of its popular Alexa-powered Echo speaker that the e-commerce giant said has better sound. Photographer: Daniel Berman/Bloomberg

Here is what patients, families and caregivers need to know in order to not become a conduit for a hacker.

  • Although Amazon and Google respond to reports of vulnerabilities in popular home smart assistants, hackers continually work hard to exploit any vulnerabilities in order to listen to users’ every word to obtain sensitive information that can be used in future attacks.
  • ZDNet recently reported that two security researchers at Security Research Labs discovered that phishing and eavesdropping vectors are being used by hackers to provide access to functions that developers can use to customize the commands to which a smart assistant responds and the way the assistant replies. The hackers can use the technology that Amazon and Google provide to app developers for the Alexa and Google Home products.
  • By putting certain commands into the back end of a normal Alexa/Google Home app, the attacker can silence the assistant for long periods of time, although the assistant is still active. After the silence, the attacker then sends a phishing message which makes the user believe had nothing to do with the app that they interacted with.
  • The user is then sent a message claiming to be from Amazon or Google, asking for the user’s password. Once the hacker has access to the home assistant, the hacker can eavesdrop on the user, keep the listening device active and record the user’s conversations.
  • When hackers eavesdrop on every word, even when it appears the device is turned off, they can obtain information that is highly personal and can be used malevolently in the future.
  • Manufacturers of the home smart assistants reiterate to users that the devices will never ask for their account password. Cyber hygiene for home assistants is no different than cyber hygiene with emails.
For reprint and licensing requests for this article, click here.