Header Authentication

The Issues

The use of the Cloud:

This particular Security threat goes back to the issue of recorded conversations, but more importantly, where they are stored.  As mentioned previously in VPA Part 4, it is widely believed that they are stored at this point in the servers of the Vendors that make and support their brand of the Virtual Personal Assistant. However, the physical location of these servers and where these conversations are stored is not known. Obviously, it would be over a period of time, a cost factor for these companies to keep these conversations stored on physical servers.  Therefore, storing them onto Virtual Servers based in the Cloud would be the next logical step.  But, here is where the possible Security risks lie. For example, whether it is stored in the Amazon Web Services, or the Microsoft Azure, or the Apple iCloud, the “murkiness” of where these conversations are stored grow even more. The end user will not have any kind of control as to how or when they want to delete their conversations with their VPA.  It will be all up to the Internet Service Providers (ISPs) to provide the Security mechanisms to safeguard the Virtual Servers in which the conversations reside upon.  Thus, there is no guarantee that these recordings won’t be hacked into, tampered with, or even accessed remotely by a malicious third party.  It is also quite likely that a recorded conversation could very well be misunderstood and even misinterpreted by an outside entity, such as a law enforcement agency, if the ISP grants them access. As a result, given how new Virtual Personal Assistants are making their way into the marketplace, there is hardly any legal precedence which has been set forth in order to protect the end user under these particular circumstances.  The Security risks with Virtual Personal Assistants will grow even more complex as it gets further intertwined into the Internet of Things (IoT).

Using your Virtual Personal Assistant to do your shopping for you:

As it has been described, the Virtual Personal Assistant is literally trying to be a part of our everyday lives, and in a way, even trying to be a “part of the family.”  Thus, in this regard, the VPA that we use (whether it be Siri or Cortana), asks us many questions when it comes to what our personal preferences are, interests, hobbies, etc. The primary purpose of this is to help ensure that we are given the most “holistic” experiences as we are travelling, or even planning a social activity.  For instance, if we are going from Point A to Point B, and if we have mentioned to Siri or Cortana where our favorite restaurant is, the VPA will make every effort to find such an establishment that is within close proximity to our travels.  This type of experience is now starting to be extended when we shop for products and services online.  As a result of this, the Vendors of the Virtual Personal Assistants are now trying to make them do the shopping for us, at a predetermined point in time established by the end user.  This simply means, gone are the days when we have to log onto Amazon.com to manually select the products we want – Siri or Cortana will do that for us.  Although this will be of great convenience no doubt, there is once again yet the flip side to this, namely the Security risks which can be involved.  For example, in order to initiate an automated shopping routine with Siri or Cortana, we will have to give them our credit card information, bank account information, or other types of financial information, such as PayPal. These will obviously be stored into the VPA so that they make the online purchases, but the question now arises-to whom will our financial information be made available, and if so, will we receive notification of this?  Or worst yet, will our financial information be stored onto the servers of the Vendor (whether it be a physical or virtual based one) without our knowledge, in a way that is very similar to the conversations that we have with Siri or Cortana?  What guarantees do we have that as the VPA completes the checkout process at the Online Store that our financial information will be only received by the authorized merchant, and by a malicious third party?  Or for that matter, how do we even know that the Siri or Cortana VPA that we are even using is authentic in the first place?  What if it is a malicious software application that has been spoofed up to look like the real thing as it conducts our online shopping?  Finally, if our financial information is indeed stored in the Cloud in order to be used for subsequent shopping trips by Siri or Cortana, what Security mechanisms will be put in place to safeguard that from any direct Cyber-attacks?  Obviously, these are questions which must be answered before society will even embrace the notion of having a VPA do our online shopping for us.

Conclusions

Our next blog will examine more serious security issues with the Siri and Cortana, and we will wrap up this series on the protective measures that you can take and the future implications of using VPAs.