Privacy Issues in Voice Assistant Ecosystems

Voice assistants have become quite popular lately while in parallel they are an important part of smarthome systems. Through their voice assistants, users can perform various tasks, control other devices and enjoy third party services. The assistants are part of a wider ecosystem. Their function relies on the users voice commands, received through original voice assistant devices or companion applications for smartphones and tablets, which are then sent through the internet to the vendor cloud services and are translated into commands. These commands are then transferred to other applications and services. As this huge volume of data, and mainly personal data of the user, moves around the voice assistant ecosystem, there are several places where personal data is temporarily or permanently stored and thus it is easy for a cyber attacker to tamper with this data, bringing forward major privacy issues. In our work we present the types and location of such personal data artifacts within the ecosystems of three popular voice assistants, after having set up our own testbed, and using IoT forensic procedures. Our privacy evaluation includes the companion apps of the assistants, as we also compare the permissions they require before their installation on an Android device.