Resources / Opinion / Alexa - let's talk security?

Alexa – let’s talk security?

Increasingly we are seeing the integration of voice assistance in Automotive. This makes complete sense as a way of enabling access to high-value services, without requiring the driver to take their eye off the road.

Voice capabilities in automotive are not in itself new – but what has changed is that rather than proprietary systems with relatively fixed function, there is a move to integrate leading-edge systems from Amazon, Google, and others.

With Android 11, Google has released a new version of its digital assistant, which is integrated more deeply, allowing you to have much more refined control over vehicle functions. At the same time, Amazon has launched new capabilities around Alexa.

In particular, they have a new SDK coming out that allows OEMs to customize and personalize that experience to their particular brand or their particular vehicle. This allows OEMs to use their terminology rather than having to use a Google or Amazon term. For example, “dynamic stability” may be called something slightly different depending on the vehicle. 

This is a small, but significant step as it gives consistency with owner manuals and customer expectations and means the voice capability feels like part of the brand’s experience rather than a third-party add-on.

Going above and beyond that, we are also starting to see some of the interconnection between experiences; such as the ability to control home devices and vehicle functions consistently, providing customers with a very powerful brand experience.

With all this new capability, security is obviously of great importance – both for user privacy, but also to ensure that these new voice assistants do not provide a new attack surface for vehicle functions.

Amazon has stepped up to the challenge and recently announced a new set of security-focused requirements for vehicles and other OEMs wishing to integrate Alexa capabilities. Full details can be found here.

This is an exciting development. The big internet players have started to take an active interest in the security of all devices that connect to their cloud systems – not just the ones they manufacture themselves. Google has for a long time had strong security requirements around Android Certification. 

OEMs wishing to put the Android badge on their devices, or make use of Google services ( such as Google Maps) have been making use of security technologies such as Trusted Execution Environments, to pass Android Certification Tests.

Amazon has now done something similar for Alexa-enabled devices and comes up with a strong list of requirements an OEM has to meet. These include secure key storage and Certification from a 3rd party lab.

The new requirements are quite broad – as expected, there are requirements for secure boot, cryptography, and secure storage – but also some quite complex new needs like anti-rollback and over-the-air software update.

From a security perspective, this is a very good thing – but there is a bit of a clash of cultures. Amazon works at “internet speeds” and their new requirements apply from August this year – a window of only 6 months. The automotive industry is used to much longer runways for changes, so some will struggle to meet these new needs.

The good news is that leveraging the Trustonic TEE does not require changes in hardware specs, so can potentially be added to projects relatively quickly, even if the boards have already been designed. We have vast experience in meeting Google requirements and dealing with certifications, so for us, this is business as usual.

It is great to see that Google and Amazon are treating security as a first-class requirement. For some, it will require a change of thinking and approach and is yet another reason why secure development is becoming so important within automotive. 

While this initial adjustment may be painful for device makers, it will enhance the confidence of consumers in these products and services, which in turn will lead to high device sales and stronger digital revenue streams.