Voice-assisted technologies entered the marketplace in 2009 with the introduction of Google Voice. One year later, Apple introduced Siri, and Samsung followed in short order with the introduction of S Voice in 2012.
Originally intended for accommodating hands-free use of mobile devices, voice-assisted technologies have moved far beyond a smartphone feature to become an integral component of the smart devices many of us use at home and on the go.
According to PEW Research Center survey results released in November 2019, a quarter of all U.S. households are now using voice-activated assistants like Amazon Echo or Google Home. Half of the survey respondents expressed concern about the amount of personal data these devices collect. The concern is not unfounded.
One of the first examples of how things can go wrong was widely reported in 2017. A television news station ran a story that triggered devices without permission.
The human-interest story was about a little girl inadvertently placing an order for dollhouses when conversing with her parents’ Amazon Alexa. The story ended with the anchor saying the words “Alexa ordered me a dollhouse.” That phrase “woke up” home devices that then also attempted to place orders for dollhouses.
Voice assistants are convenient, but what if it’s not your voice? Things are further complicated by the fact that third-party developers provide add-on functions for everything from ordering food to managing bank accounts.
Lack of security can allow bad actors, through these third-party applications, to take over voice-assisted devices and gain access to private information.
Yuan Tian, an assistant professor in the Department of Computer Science at the University of Virginia School of Engineering, recently earned a CAREER AWARD from the National Science Foundation for developing advanced methods to secure voice-user interfaces and “internet of things” platforms.
Through the CAREER Award program, the National Science Foundation recognizes early-career faculty who have the potential to serve as academic role models in research and education and to lead advances in the mission of their departments or organizations.
Tian earned a master’s degree at Beijing University of Posts and Telecommunications, where she researched methods to protect intellectual property rights on smartphones. She transitioned to her doctoral research at Carnegie Mellon University just as internet of things technology was gaining popularity.
“Voice-user interfaces were becoming a feature in a wide range of cyber-physical systems applications, for everything from health care, to shopping, to even remote control of cars,” Tian said. “It was becoming critical to not only protect voice-activated devices from malicious takeovers, but also to protect the information they collect.”
Tian undertook several industry research internships as well. She worked with Microsoft and Facebook to advance their authentication security protocols and served as a security intern at Samsung, where she contributed to a safer Android operating system.
Tian credits these internships with providing valuable insights for the translation of ideas into commercial adoption. “There are real-world constraints and limitations that must be considered,” she said.
After completing her doctoral research in 2017, Tian joined UVA Engineering’s Department of Computer Science and became a participating faculty member in UVA Engineering’s Link Lab. There she joins close to 40 faculty and 200 graduate researchers all devoted to interdisciplinary research in cyber-physical systems.
In her lab at UVA, she has set out to develop methods for assessing security threats to voice-user interfaces, the cyber-physical system component used in many internet of things devices like Amazon Echo and Google Home.
Tian’s team created a machine learning framework that was able to analyze 77,957 Amazon Alexa applications and 4,813 Google Home applications with 95% accuracy. This is the equivalent of 198,199 voice commands from Amazon Alexa and 13,644 voice commands from Google Home.
Her team gathered the large amount of data in just two years.
“Yuan is pioneering novel machine learning protocols for gaining a more advanced understanding of security vulnerabilities,” said Kevin Skadron, Harry Douglas Forsyth Professor and chair of computer science. “Her research will accelerate knowledge of how to detect and block system attacks, leading to internet of things devices that are better equipped to protect user data.”
The National Science Foundation recognizes that security protocols need to keep pace with the sheer volume of voice-activated internet of things devices being unleashed in real time, each one with their own set of third-party applications.
“There is a lack of understanding as to what type of third-party applications have access to voice-activated internet of things devices and the security threats these applications introduce,” Tian said. “We can use machine learning-based testing to mimic attack scenarios and gather empirical data about the magnitude and nature of these threats.”
With this CAREER Award, Tian’s team will use her proven machine learning voice testing to analyze interactions between voice-activated devices and third-party applications. The testing will gather data about vulnerabilities introduced during device setup, particularly with installation of third-party applications, and the device’s ability to identify an unauthorized voice.
“New engineering methods are required to keep pace with the internet of things revolution happening at the intersection of the cyber and physical worlds,” said John A. Stankovic, BP America Professor of computer science and director of the Link Lab. “Yuan’s research is creating better ways to protect internet of things devices that society uses and must be able to trust with their personal data.”
Because Tian’s research offers a broad-based understanding of security threats, it will contribute to advances in the design of a wide variety of internet of things platforms. That understanding is more important than ever. Last year the research advisory group Gartner projected that in 2020 there would be 5.8 billion connected devices, a 21% increase in just one year.
“I envision a future where we will trust our smart devices to protect us from intrusion,” Tian said. “Teaching voice-user interfaces how to always detect and block bad actors will be a key in offering users complete confidence that their data is secure.”