In 2018, a husband and wife in Portland, Oregon, discovered that their Amazon Echo picked up and sent a private conversation to one of the husband’s employees. A few months earlier Echo’s voice assistant Alexa began laughing, unprompted, in many users’ homes, which Amazon attributed to devices simply mishearing a command.
These alarming incidents, along with occasional reports of flaws in smart speaker operating systems, have heightened awareness about Alexa security, Amazon Echo security and consumer privacy when using smart home devices.
So before you pick up a new smart speaker on Prime Day (July 15)—or purchase other smart home devices that connect to one—read up on Amazon Alexa security concerns and how you can protect your personal information while using an Amazon Echo.
Can Alexa be hacked?
More than a quarter of Americans use smart speakers—and 40% more adults owned these devices in January 2019 than just one year prior, according to recent industry research from Voicebot.ai. Amazon’s Echo devices with Alexa continue to be the most widely used smart speakers, though Google Home is also growing in popularity.
With this ubiquity comes continued worries that smart speakers, which listen, record and store conversations, can be hacked and used to invade consumer privacy.
Robert Siciliano, a Boston-based security awareness expert and CEO of Safr.me, points to two major risks with Alexa-enabled devices. The first is with Amazon itself. When you speak to Alexa, your Echo records and stores the audio of your conversation, and Amazon uses those recordings to train Alexa’s speech recognition and artificial intelligence capabilities.
While you can delete your voice recordings, Amazon recently revealed that it holds on to some of your data—including some text transcripts—even after the audio has been removed. This means Amazon employees and Alexa’s developers may have continued access to your information.
Without the proper security and privacy precautions, both your Echo and the network it’s connected to are also vulnerable to hackers, said Siciliano. If your Wi-Fi and router aren’t password-protected, for example, it’s easy for someone to tap in and take over.
Is Alexa always listening?
The short answer is “yes.” Like other smart speakers, your Alexa-enabled device is always listening for the “wake word” that signals you’re about to ask a question or make a request. Amazon Echo has four wake word options: “Alexa,” “Echo,” “computer” and “Amazon.”
Amazon says your Echo will not record or store any audio unless it detects the wake word you’ve selected. But this doesn’t mean your speaker won’t accidentally activate and record things you don’t mean for it to hear. If you use your wake word in everyday conversation, for example, you could trigger your Echo. This is a good reason to set your wake word to whatever you’re least likely to say.
Smart speakers may also turn on when they hear audio patterns that are very similar to the wake word—Alexa’s creepy laughing streak last year was a terrifying example of this.
That process of listening, recording and storing information—and recognizing all the conveniences you prefer—is what makes Alexa useful to consumers in the first place, Siciliano explained. After all, if you have to remind your smart speaker where to order pizza from and what toppings you want every single time, you might as well just pick up the phone.
“If you don’t want any of that information stored and recorded, then you shouldn’t have one of these devices,” he said.
While the fact that Alexa is always listening is an obvious privacy weakness, it’s a potential strength in some situations. If you enable the new Alexa Guard feature (described below), for example, your Echo device’s eavesdropping could actually improve the security of your home.
How do you use Alexa Guard on Amazon Echo for security?
You may be worried (and rightfully so) about protecting your privacy from Alexa, but you can also take advantage of Alexa’s always-on nature to secure your property. Alexa Guard, which Amazon launched earlier in 2019, turns your Echo into a (free) basic home security system.
Here’s how it works. When you set up the Guard function in your Alexa app, Echo devices in your home are able to detect your smoke and carbon monoxide alarms as well as the sound of glass breaking. You’ll get an alert on your phone and a short recording of the sound your speaker picked up. From there, you can use the Echo’s Drop In feature to find out more and then call for help if needed.
Guard can also forward alerts to some professionally monitored security systems, including ADT and Ring (if you’re a current customer).
To enable Alexa Guard when you’re away from home, you’ll say “Alexa, I’m leaving.” To disable when you return, say “Alexa, I’m home.”
If Alexa Guard provides a layer of protection for your home that you might not otherwise have, that’s not a bad thing, said Siciliano. He noted, however, that because Alexa wasn’t designed to be a home security system, you shouldn’t rely solely on this technology.
Best practices for Alexa privacy and security
Privacy concerns don’t have to prevent you from using an Alexa-enabled device. With a little bit of knowledge and a few security precautions, you can lessen the likelihood of your sensitive information being recorded and used by bad actors.
- Stay aware of your Echo’s location. Before you discuss sensitive information with a family member or hop on the phone with your bank, take note of how close you are to your smart speaker. Step away toward a more private spot if needed.
- Move your device to a low-traffic area. If you tend to congregate in your kitchen, for example, consider placing your Echo farther away—like in a room where you can shut the door behind you—so your casual conversation is less likely to trigger Alexa.
- Change the wake word. As we note above, Amazon gives you four options to “wake” Alexa: “Alexa,” “Echo,” “computer” and “Amazon.” Set your device to respond to the one that you’re least likely to use in everyday conversation.
- Disable the microphone. Press the “Microphone Off” button on your Echo—it won’t be able to listen or record even if you say the wake word. Better yet, unplug the device entirely. Of course, doing this will render your device useless until you plug it back in or turn the microphone back on.
- Delete old recordings. Amazon stores everything Alexa overhears until you delete it. Go to Settings > Alexa Privacy in your Alexa app or the Manage Your Content and Devices page on Amazon’s website. You can also delete recent recordings via speaker with the commands “Alexa, delete what I just said,” and “Alexa, delete everything I said today.”
- Look for technology that alters Alexa’s listening capabilities. What if you could jam your Echo’s microphone so Alexa only listens in when you want her to? Projects like Alias, a “teachable parasite” that gives you more customized control over your smart speaker, may be the answer. Of course, Alias is still experimental and requires some programming knowledge to set up, but it shows that better privacy is a possibility.
- Secure your home network. If your wireless network and router aren’t password-protected, anyone can access your Echo (and all the other devices that are connected to your Wi-Fi). Take basic precautions to protect your data: Use complex passwords, set up a firewall, ensure your devices’ firmware is always up to date, and consider connecting your smart home devices through an entirely separate network from the one you use to bank and shop.
- Take basic steps to avoid scammers. Even if you take precautions, there’s a possibility that your personal information could be found and used. If you start receiving suspicious emails or phone calls, use reverse lookup and email search tools to identify who’s contacting you.
Alexa offers a lot of hands-free convenience for everyday tasks, whether it’s DJing your summer BBQ, reading recipes aloud, reordering paper towels or locking your doors. But that convenience comes at a cost: You give up some personal privacy to Amazon and anyone who manages to hack your home network, your Echo or even your Amazon account where your recordings are stored.
“When a device is in the home, and it is listening in on conversations, and those conversations are being recorded by a large corporation, the expectation of privacy should be zero,” Siciliano said.
However, if the benefits of a smart speaker (home security capabilities, for example) outweigh the risks, a little bit of caution around Alexa can go a long way.