One of my colleagues was able to spend a bunch of money on my credit card using the Amazon Echo ($100 at Amazon) and Google Home ($99 at Walmart). Both services also freely gave my coworker Chris my personal info because they both thought he sounded like me.
To be clear, Chris wasn't trying to steal from me or spy on me. We were trying to find out how easy it is to fool the voice recognition feature of Google's digital assistant (just called ) and Amazon's digital assistant . As it turns out, it's not hard.
What is voice recognition?
You can train both the Google Assistant and Alexa to recognize your specific voice in their respective apps. Once you've trained them, both services will customize their responses to your particular voice. Ask Google "what's on my calendar today," and you'll get responses from your own personal calendar. Ask Alexa for a briefing, and she'll play your customized news feed. It's a handy feature that I quite like. If you have a voice controlled smart speaker such as the Google Home or Amazon Echo, you can even train them to recognize multiple voices, so each family member can access their own information.
Can you trick your digital assistant?
When Google, we found it was . Now that both Google and Amazon offer the feature, we wanted to see if we could intentionally trick both digital assistants. Turns out, we can.
Chris successfully imitated three male colleagues here in our Louisville office. Two of the women in our office, Megan and Molly, were able to imitate each other without even trying to do an impersonation. Check out the video above to watch these impersonations in action.
What our results mean
I'm not suggesting you toss your Amazon Echo or Google Home in the trash to preserve your security and avoid erroneous purchases. Someone still has to be within shouting range of these speakers to get access to your stuff, so you only need to worry about the people inside your house. With that in mind, you might want to take a couple of precautions if you have a big family or a lot of roommates.
If you're not worried about your personal info, but don't want your kids doing an impression of you and making purchases, both assistants let you turn off voice purchasing while keeping your the rest of your personalized results intact.
How to turn off voice payments
In the Google Home app, click settings in the upper left corner of the main page, then go to "more settings." Click "payments" then toggle off "Pay through your Assistant." In the Alexa app, click the settings icon in the upper left corner, click the "Settings" button, scroll down to "Voice Purchasing" and toggle off the "Purchase by voice" option.
Note that in the Alexa app, you can also enable a voice code option. This is off by default, so members of your house don't even have to sound like you if voice purchasing is on and this is turned off. If you turn it on, you'll have to enter a four-digit PIN. Then, you'll have the option to allow recognized speakers to skip the PIN.
In our tests, we weren't able to get around entering the PIN. To an extent, that's a good sign for Alexa's security, as Chris wasn't able to make a purchase on my behalf without that PIN once I enabled this option. But the feature also wasn't working correctly, as it didn't even allow me to skip the PIN when making a purchase, which it should have after I used the pin correctly the first time. Also, if a roommate hears you enter the PIN, there's nothing stopping them from making a purchase.
How to turn off personal results
If you don't want your roommates or family members accessing any of your personal information, both Google and Amazon let you turn off the feature entirely. Start from the same "More settings" menu in the Google Home app, then scroll down to your shared device such as your Google Home. Click the device and you can toggle off "Personal results."
With Alexa, you again start from the "Settings" menu. This time, click "Your Voice" and then click "Forget my voice." Note that while turning off personal results in the Google Home app turns off purchasing as well, Alexa forgetting your voice won't actually stop you from making voice purchases, so make sure you turn that off as well using the steps above.
Trusting your voice
Google warns you when you first set up voice recognition that a similar voice might be able to access your info. In response to this story, Kara Stockton on the Google Assistant team offered the following statement over email: "Users shouldn't rely upon Voice Match as a security feature. It is possible for a user to not be identified, or for a guest to be identified as a connected user. Those cases are rare, but they do exist and we're continuing to work on making the product better."
Amazon claims Alexa is more secure as it listens to the entire utterance and not just the wake word. We were still able to fool Alexa in our tests, but the extra security means your impersonator has to be a little more skilled when issuing a longer command. It also means they can't just record you saying the wake words, then issue any command they want.
Amazon declined our request for comment.
I like the fact the digital assistants built into your smart speakers can get to know you. Just be sure to use caution when giving Alexa or Google Assistant access to your info. Take into account your living situation, who's regularly around the speaker, and what info your let each service access. Otherwise, your friendly virtual assistant could easily turn into a digital traitor.