Smart home devices made their way into our living rooms and bedrooms across the world helping us turn off our lights and lock our doors remotely. Now they are taking on new territory: our home offices.
Big tech companies including Amazon, Facebook parent Meta and Google are expanding work applications for the smart home, one that’s controlled by a group of connected devices that can be accessed remotely.
The coronavirus pandemic blurred the lines between people’s home and work lives. As a result, some workers are asking Alexa or Google Assistant to book their virtual meetings, fetch revenue targets or remind them about important events on their busy work calendars. And while all of these work productivity features may add convenience to working from home, experts say they are also raising security and privacy concerns that could cost workers and their companies if not managed properly.
“The lines all blurred during the pandemic. Everything is turning into screens,” said Mark Quiroz, vice president and general manager of product marketing for Samsung’s Display division.
Smart home devices, which include the Amazon Echo speaker or the Google Nest line of smart thermostats, smoke alarms and doorbells, are now considered a mainstream technology, according to a survey by market research firm International Data Corp. More than 77% of households with Wi-Fi connection have at least one smart home device. And consumers are warming up to the idea of using their smart home devices for work purposes, too: Nearly 50% of the about 1,700 people surveyed who are employed and own a smart home device said they’d be willing to use the device for work purposes such as video conference calls or to retrieve the latest sales numbers from connected work-related software.
“Each person may soon have 10 devices tied to them,” said Mark Ostrowski, head of engineering at cybersecurity company Check Point Software. “Ten devices per person times a household of four — that’s 40 devices for entry,” he said, referring to entry points that could be targeted by hackers.
Still, big technology companies are hoping to seize on the opportunity.
Workers using the Amazon Alexa virtual assistant can join Zoom meetings with a simple voice command on Amazon’s smart display called the Echo Show. With Alexa-enabled devices, they can also be reminded at a specific time about details on their to-do lists or their appointments for the day, be played focus music and have their emails read out loud to which they can verbally reply.
Amazon has been courting corporate clients with Alexa for Business, which helps companies deploy and manage Alexa-enabled devices, since 2017. Though it landed customers like General Electric, media group Condé Nast, and not-for-profit health system Hawaii Pacific Heath, the company only lists a little more than a dozen corporate clients. And in 2018, WeWork reportedly halted its pilot of Alexa for Business, though the company didn’t specify the reason for doing so.
But Alexa-enabled devices have a history of quietly recording conversations. Alexa sometimes wakes after hearing its name, or something that sounds like its name even when its users never meant to activate their device. Those conversations — which in today’s remote work environment could very well be work-related — have the potential to be reviewed by human contractors working to improve Alexa’s speech recognition if people using their personal Alexa-enabled devices don’t opt out of the processes.
For business customers, Amazon said all interactions with Alexa are anonymous and not linked to any individual user. It said by default voice recordings aren’t saved.
“We absolutely see Alexa playing a bigger role in work in the future. Customers tell us how Alexa not only helps them get more done throughout the day, but helps them work smarter, productively and safely,” said Liron Torres, head of Alexa Smart Properties at Amazon.
Google, which similarly allows users to opt out of human review and saving recordings, has had a similar history with devices equipped with its voice-activated Google Assistant. Google also has been known to tap into users’ online activities to better serve them ads.
Similar to Amazon, Google aims to equip workers with productivity tools that may aid with work. For example, users are able to create workday routines that automatically remind them about the items on their calendars as well as when they should take a break or get a glass of water. The feature was rolled out during the pandemic.
Before the pandemic, workers were able to use the Google Assistant for tasks like creating to-do lists and calendar items, storing reminders and automatically joining video meetings on the company’s smart display called the Nest Hub Max, which began supporting Zoom at the end of last year.
Facebook also wants in on the work-world action, but it, too, has had its own privacy issues.
The company, which recently changed its corporate name to Meta, said early on in the pandemic that it reprioritized its plans for Portal. The device, powered by its own virtual assistant — called the Facebook Assistant — and Alexa, resembles a tablet and features a smart speaker and camera that follows people around the room as they talk.
“We had a number of users who saw that their workday consisted of going in and out of different video services,” said Micah Collins, director of product management at Meta. “We saw actual pain points of many Portal users and focused on that.”
Portal users can now use their devices to make video calls on services including BlueJeans, GoToMeeting, Webex and Zoom. They can also integrate their work calendars from services like Google and Microsoft. And companies can also rollout and manage a group of devices for their employees with special work accounts.
But in 2019, Facebook was slapped with a history-making $5 billion fine from the Federal Trade Commission for violating consumers’ privacy. The FTC probed the company after the social media giant left up to 87 million users’ data vulnerable to data analytics firm Cambridge Analytica ahead of the 2016 U.S. presidential election. Since then, the company has suffered several massive breaches of user data and has come under scrutiny for the amount of data it collects about its users.
Meanwhile, consumer electronics giant Samsung is hoping to get more connected displays that do it all in a stand-alone device. So workers can use software like Microsoft 365, complement their laptop and desktop screens and watch streaming entertainment, too. This means adding more screens in the homes of more workers. More screens means more connections and more risk, security experts say.
They say consumers should heed caution when mixing their personal and professional data and devices. Workers could be creating new opportunities for criminals to steal sensitive company information, even if it’s seemingly well-protected by security software.
Michael Siegel, director of cybersecurity at MIT Sloan, said it could be as simple as someone hacking a person’s smart thermostat or smoke alarm, for example. In that case, all they have to do is raise the temperature in the home or set off your smoke alarm in an attempt to get you to leave your device behind for them to steal.
“The more we’re connected to our office, the more exposed we are to social engineering,” he said. “All of these are things that can cause you to let your guard down.”
Beyond physically stealing a device — and all of its data — criminals also will have more ways to get to sensitive corporate data as people increase the devices that connect to it, experts say. Ari Lightman, professor of digital media and marketing at Carnegie Mellon University’s Heinz College, said it boils down to one simple fact: “If there’s a mechanism to exploit, people will look to do that.”
But workers may not only be increasing their exposure to hackers but also potentially to their employers, as well. Adam Wright, a senior analyst at IDC, said company-issued smart home devices like Facebook’s Portal should be considered much like company-issued laptops, which can be easily monitored by employers. Facebook employees, for example, were offered free Portal devices after the outbreak of the pandemic to help with virtual meetings. But the devices should be handled with caution, Wright suggested.
“Employers have every ability to monitor their employees with their devices,” Wright said. “It would be incredibly naive to assume that the same type of employee monitoring practices used on traditional devices like laptops and smartphones wouldn’t be used on other employer-provided devices like smart displays and smart speakers. “
Workers who are using their smart home devices for work would be wise to do a few things, said Pardis Emami-Naeini, researcher at the University of Washington’s Security and Privacy Research Lab. First, they need to familiarize themselves with the privacy and security of their smart home devices to understand what they may need to do to protect their data, and that of their company, as best they can. They also should be regularly updating the device, if the device doesn’t automatically update, to prevent additional security vulnerabilities, just like they would with their smartphones.
“Now that the purpose [of the device] is different, they shouldn’t assume that the normal practices of their daily behavior is going to work,” Emami-Naeini said. “The purpose is different and the data they share is more sensitive.”
Check Point’s Ostrowski said the responsibility not only lies with the worker but with the employer, which should be doing everything to safeguard its data and network even if a person’s personal device is compromised.
“It’s less about how do I secure or chase after 10,000 employees to make sure their digital hygiene is good. It’s more about how do I make sure when they come to the corporate environment, they can’t bring a malicious footprint with them,” he said.
Janneke van Ooyen, a community manager of a mobile gaming company in Barcelona, Spain, who recently outfitted her home with eight smart lights, a smart sound bar and an Amazon Echo Dot, said she’s hesitant about using these devices for work purposes.
“Since the data is very sensitive and you don’t know where it’s stored — that would be my biggest gripe for not” using it, she said. “We work with a lot of licensers, so if anything got out, that would be really bad.”