In recent years, smart home products such as smart speakers have gradually entered thousands of households, adding convenience and fun to people's home life. According to the monthly tracking report of China's smart speaker retail market released by IDC, the sales volume of China's smart speaker Market in 2021 was 36.54 million units, with a year-on-year increase of 20.1%. It is expected that the market sales volume will reach 37.25 million units in 2022. Smart speakers are continuing to differentiate into screen and no screen speakers: one is to further upgrade the traditional smart speakers and gradually approach the household flat panel and smart screen by adding screens and cameras. The other is to further lightweight, wireless and modular, mainly positioning the intelligent audio control and interactive entrance of smart home. In the future, smart speakers will continue to penetrate and be embedded in more household products and appliances. With the gradual diversification of the functions of intelligent speakers, the means of information technology are becoming more and more complex, and its security risks are gradually emerging. The security risk of smart speakers should not be underestimated The security risks of intelligent speakers are mainly divided into two aspects. First, with the diversification of functions and the growth of the number of interactive interfaces integrated by smart speakers, the number of entrances that may be attacked gradually increases, and the security risk continues to expand. In 2019, Google home was broken, and attackers can manipulate the target device through remote instructions. If the incident escalates, it may lead to the disclosure of personal information of millions of users, which may lead to fraud and misappropriation of funds, or threaten the personal safety of users and affect social stability. Second, the demand for product positioning and personalized functions of intelligent speakers leads to the collection of a large number of users' privacy information and interactive data, which may lead to the security hidden danger of illegal collection of users' personal data. In 2019, some media disclosed that Amazon hired thousands of employees to monitor the daily recording of its smart speaker Amazon echo users, and even illegally leaked the voice data of more than 1700 users, resulting in a series of effects on users, such as e-commerce harassment and telecom fraud. The China software evaluation center selected several best-selling intelligent speakers with and without screens to evaluate from the perspectives of network security, data security and personal information security. Intelligent speaker network security and data security. Smart speaker app security. The evaluation experts tested the security of the smart speaker app, including component security detection, manifest file detection, WebView security detection, network communication security detection, weak encryption risk detection, data security detection, system vulnerability detection, so file risk detection, privacy permission detection, privacy behavior detection and other test items. In the testing process, experts decompile APK files and use the technical means of automatic scanning and manual infiltration to find the existing security problems. After evaluation, no serious vulnerabilities were detected in the smart speaker app within the evaluation scope, which can effectively avoid the disclosure of user information. Intelligent speaker communication data transmission security. During the communication between the intelligent speaker system and the server, the evaluation experts dynamically collect the transmitted network data. In terms of the encryption algorithm for the whole process of intelligent speaker network communication and connection maintenance, the security analysis and evaluation are carried out by using Wireshark tool and manual audit. After evaluation, during the communication between an intelligent speaker device and the server, there are some problems, such as the clear text transmission of log files, resulting in the disclosure of user sensitive information and so on. The transmitted log contains equipment information, log information and text information converted from voice, resulting in information leakage. Smart speaker system and firmware upgrade security. The evaluation experts first conducted a degradation risk test on the smart speaker system and firmware, and found that most devices took the measures of "upgrade detection" and "firmware signature", locked the serial port and USB interface, and the user could not degrade by himself, thus protecting the security of the smart speaker. Secondly, the experts analyzed the communication process of the smart speaker firmware update request. By analyzing the update request packet, it was found that some devices transmitted the firmware update request in clear text through HTTP protocol. The firmware download address can be obtained from the data package, causing the risk of firmware leakage. At the same time, using insecure communication protocols may face the risk of man in the middle attack. After evaluation, there is a risk of URL exposure in the firmware upgrade communication process of some smart speakers, and firmware leakage may occur. Personal information security of smart speaker users. Rules for the collection and use of personal information. In order to provide users with more accurate customized services, the smart speaker will collect users' personal information, including location information, address book information, audio and video information and other sensitive data. China Software Evaluation Center has tested the compliance of the rules for the collection and use of personal information of various speakers. In the process of testing the rules for the collection and use of personal information, the evaluation experts mainly interpreted the privacy policies of each smart speaker product in detail, and interviewed some questions with the enterprise. All smart audio products participating in the evaluation have complete personal information protection policies and can be put into practice in practical application. However, in the process of collecting and using personal information, there is still excessive collection of users' personal information. For example, after entering the smart speaker app, the user's voice data will be automatically collected for model training, but there is no obvious prompt for the user. The privacy statement of some products does not specify the collection frequency and storage time of personal information. The personal information subject cancels the account. Users should have complete control over the personal user information stored in the smart speaker. When users require account cancellation or user data destruction, the smart speaker, control app or cloud service should provide users with simple and convenient operation methods, and unreasonable conditions or additional requirements should not be set during the cancellation process to increase the obligations of the personal information subject. For example, cancelling a single function is regarded as cancelling the subject account, Require the personal information subject to fill in accurate historical operation records as a necessary condition for cancellation, etc. After testing the smart speaker products involved in the evaluation, there are still problems in the cancellation of some smart speaker accounts and the destruction of user data. When the user cancels the smart speaker account, all products and services under this account will be cancelled, which makes it more inconvenient for the user to manage personal information. Suggestions for manufacturers and users of smart speakers According to the above evaluation contents, China software evaluation center puts forward suggestions for the security construction of intelligent speakers from the perspective of enterprises and users. Suggestions for intelligent speaker manufacturers. First, strengthen the construction of product network and data security compliance. At the level of network security, the product security can be strengthened from the following three aspects: first, the loopholes of the intelligent speaker operating system can be repaired in time, and the system configuration security and port security management can be strengthened; Second, strengthen the security of system firmware and mobile applications, including but not limited to signature verification, shelling, anti memory modification and other means; Third, introduce and pay attention to security testing in the server and smart speaker app, and regularly carry out penetration testing and risk assessment. At the level of data security, the relevant provisions of the data security law and the personal information protection law should be implemented, and the security protection of the whole life cycle of data should be carried out, so that the collected information should be authorized, the transmission and storage should be encrypted, the processing and use should be desensitized, the deletion of data should be thorough, and the disclosure should be legal. Secondly, standardize the rules for the collection and use of users' personal information. The product shall not be mandatory in terms of collecting users' personal information. The collection of users' information shall be modularized according to the function, and the service shall not be refused because a certain information user is not authorized. In the process of collecting and using users' personal information, the content, method, scope, purpose, frequency and accuracy of the collected information shall be described in detail. Among them, there shall be obvious prompts for the collection of users' sensitive information; The use of personal information, such as whether it will provide data to third parties and overseas, shall be described in detail; For the channels and methods of revocation of authorization, application for deletion, complaint and reporting of personal information, comprehensive and easy to understand operating instructions shall be provided. Suggestions for smart speaker users. First, pay attention to the rules of product collection and use of personal information. It can be carried out from the following two aspects: first, pay attention to the registration information, consult the content, purpose, frequency and accuracy of product collection in detail in the privacy agreement, and clarify the terms and contents of its processing, use and third-party sharing, so as to protect its own interests; Second, after registering and logging in, enter the settings or user authorization management page, view the product authorization information, and close the authorization of sensitive information according to the needs. In case of compulsory collection or illegal use of personal information, it shall be reported to the regulatory authority in time. Secondly, pay attention to account information security. The account number of intelligent speaker control terminal is usually shared by multiple apps and products. As one of the control entrances of smart home, smart speaker has the function of controlling other devices. Once its account is leaked or stolen, if it logs in to other smart speaker devices, the security risk will be amplified through smart speaker and pose a greater threat. The account password should be complex and changed regularly to avoid sharing the password with other accounts. Do not click the suspicious link sent by others. Finally, pay attention to the personal information processing of waste equipment. Even if the smart speaker device has been discarded, there is still a risk of data leakage. After evaluation, it is found that after leaving the owner and accessing the new network environment, multiple brands of smart speakers can normally control the devices bound under the original account without verification, and even some have screen speakers, and can directly view their bound cameras. It is recommended that users exit their personal account, delete equipment information or reset equipment before discarding products, and choose a safer discarding method, such as a reliable waste electronic equipment recycling organization. (Xinhua News Agency)