Researchers discover that the Amazon Echo can be hacked and used as a spying device.

At DEFCON last week, white hat hackers explained during a presentation that it is indeed possible to hack an Amazon Echo. Security researchers from Chinese conglomerate Tencent described the steps they took to turn a regular, working Echo into a spying device, completely through remote activation. And while this may sound like alarming news, it’s important to note that a key factor of the hack is that the interceptor must be on the same LAN.

To perform the hack, the researchers first had to prepare their hacking tool — a second Amazon Echo, which they had to modify by replacing parts and adding new pieces. Then, by connecting the modified digital assistant to the same LAN as the targeted Echo, they were able to communicate with it and surreptitiously make it begin recording sound and sending it to the modified Echo. Had they wanted, they could have done the reverse and pushed sounds from the modified Echo to play out of the targeted one.

Before giving their presentation, the researchers contacted Amazon to report the vulnerability, and the e-tail giant swiftly released a patch to resolve the flaw. The Amazon Echo updates automatically, so no action is required by owners for this fix. The company’s quick action to remedy the situation notwithstanding, the revelation pointedly voids their previous common dismissals that the Echo could be used for spying purposes.

“Everyone already knows that smart speakers are listening all the time in the event that they need to respond to our requests,” says Luis Corrons from Avast Threat Labs. “Just like any connected device, of course, it can eventually be hacked.” Corrons continues, “However, devices from reputable manufacturers that get automatic updates solving known security issues are not the devices that pose the risk. The larger issue this white-hat hack example points to is that any device is potentially hackable, and many people are not even aware that they even have a connected device. It is these lesser-known devices — the ones that have no automatic updates to address vulnerabilities — that pose a real risk for users.”

As the strange and wonderful world of IoT devices continues to grow in your home, Avast recommends: