Is My Google Home Spying On Me?

In the day and age of connected devices and the IoT revolution, there are a lot of concerns around privacy. As consumers, we are caught in the balance between privacy and convenience. Companies such as Google have to push this balance to develop innovative and sometimes creepy technology, often at the cost of our data. Today, we are going to focus on the Google Home, and whether its “always listening” capabilities are spying on us.

Always listening? That sounds exhausting …

If you own a Google Home or Amazon Alexa, you may be aware that it’s always on standby waiting for your every command. The device is always listening and recording to a small buffer and analyzing the recording for the “Hot Word”. For the Google Home this is a simple “Ok Google” or “Hey Google”. According to Google, “Those snippets are deleted if the hot word is not detected, and none of that information leaves your device until the hot word is heard.” Once the hot word is triggered, the device will keep the recording (including the buffer where the hot word was detected), and ship it off to Google’s servers for processing. The recordings can be seen on your My Activity page on Google. Keep in mind, the buffer is still being sent, so the recording may include a few seconds prior the hot word.

Let’s keep on the tin foil hat until we prove it

Why should we trust Google? I set up an experiment with my Google Home to see what this little thing is actually sending over the network. I used Wireshark to capture the wireless traffic in and out of the Google Home. There was a significant amount of communication between the device and other nodes on my network, but we will save that for another blog. I filtered the communication down between the Google Home and the outside world and graphed the amount of data that was being transferred. The communication between the Google Home and Google servers is encrypted over HTTPS, so I could not see the exact payload, but the graph tells the story. I captured the amount of data being sent between the device and Google for 940 seconds. During this time, I tried a few different things to see if it was spying on me in between commands. The timeline is as follows:

• 0 – 40 seconds: Device boot up
• 320 seconds: “Ok Google. What’s the weather?”
• 400 seconds: Muted the microphone with the button on the back
• 400 – 500 seconds: Repeatedly attempted to trigger the device while on mute
• 500 seconds: Unmuted
• 550 seconds: “Ok Google. Is it going to rain tomorrow?”
• 650 seconds: “Ok Google…” Triggered with no command, no response
• 800 seconds: “Ok Google. Play some music” (Spotify starts)
• 850 seconds: “Ok Google. That’s enough” (Spotify stops)

As you can see from the graph above, we have sharp spikes of data being sent around the times the hot word and commands were sent. The Google Home performed as expected. As the device booted up, there was some data transfer, otherwise the network was relatively quiet between commands. We also proved that when the device microphone is muted, none of the hot word triggers or talking caused an increase in network traffic.

Can we trust them?

I don’t think so. I think it’s okay to have a healthy amount of skepticism before inviting companies into your home and selling them your privacy. While devices such as the Google Home may be well designed, security tested, and care about your privacy, others may not. In this world of internet connected cameras, locks, cars, etcetera, you should care what’s being sent over the wire and what that company is doing to protect you and your privacy. Consumer demand for these conveniences is outpacing our concerns, and many companies are cutting corners in regards to safety and privacy. Let me know in the comments what devices you would like tested next.