It’s been quite a month for people afraid of Amazon invading their privacy through the use of AI. Last week, the ACLU asked Amazon to stop providing access to its facial recognition software to law enforcement agencies, and news emerged that an Oregon woman had her private conversation recorded by an Echo speaker and sent to a person in her contact list.
But earlier this month, while the world was losing its collective shit over Google’s Duplex, which gives Google Assistant the ability to make phone calls on a user’s behalf, Amazon rolled out an update to its Door Lock API. Now, starting with brands like August and Allegion, makers of Schlage locks, people can unlock doors simply by saying “Alexa, unlock door” followed by a verbal PIN code.
The Door Lock API was first introduced for smart home lock manufacturers in February 2017. At the time, an Amazon spokesperson told VentureBeat unlock permission would not be added for the Door Lock API until additional security was put in place.
To protect against people poking their head in your window to simply say “Alexa, unlock the front door,” users must opt-in to the door unlock feature. They also have to verbally state a four-digit PIN code every time.
Should three attempts to enter the PIN fail, users will have to open the app and create a new one. But if somebody is determined to find a way to trick Alexa into gaining access to your home, there’s no assurance today that it’s impossible to do so.
“I always tell people nothing is 100 percent secure, so if somebody suggests that it is, they’re either ignorant or probably somebody you probably shouldn’t listen to,” said Rob Martens, a futurist at Schlage, told VentureBeat in a phone interview. “The bottom line for that is we’ve begun a transition from keeping bad guys out to keeping bad guys out but letting people and services you want in, and so just like with any significant transition, that comes with tradeoffs.”
By “letting people and services you want in,” Martens is referring to in-home delivery services. Competition over the space has ramped in recent months, following Amazon’s acquisition of Ring for a reported $1 billion this spring.
Assa Abloy, one of the world’s biggest lock makers, acquired August Homes in October, shortly after the introduction of its in-home delivery service. A week later, Amazon introduced its Cloud Cam and Key in-home delivery service.
The Door Lock API may require the user to opt in and speak the PIN code, but it does not utilize Amazon’s voice identification system for an added layer of protection. That means anyone who knows your code can say it and enter your home.
Requiring the person to have a specific smartphone with them, or even scan their fingerprint, could be used to strengthen voice door-unlock security, but each of these processes increases friction for people who turn to voice for the ease of use. Martens does envision a day when unlocking doors with no PIN code is possible, but that won’t come until there is more confidence in consistent performance from voice identification systems or other forms of biometrics.
Hypothetically speaking, even then, an in-home delivery person or neighbor could enter your home, leave a recording device, and gather sample recordings of your voice or capture your PIN code.
Without a second security layer, be it a PIN or something else, a criminal with access to recordings of someone’s voice could enter that person’s home by using speech synthesis systems like WaveNet from Google’s DeepMind to trick voice identification systems.
“Things like voice add a special challenge because they can be recorded, they can be replicated,” Martens said. “I think the question people would ask is, ‘What if I’ve got a hyper accurate recording?’ And the simple answer to that is absolutely, that is a way you could falsify things today, until someone comes up with a technology that can 100 percent of the time know the difference between the recording of Rob versus the live Rob now.”
A PIN code and the introduction of voice ID might make it tougher to unlawfully enter your home, perhaps even tougher than making a copy of your home’s key, but they don’t make it impossible. Ultimately, it’s up to users to decide what level of control and risk they find acceptable.