With devices that work with Alexa, you can find anything without lifting your finger. Amazon Alexa makes the daily lives of millions easy and fast. But it can sometimes bring trouble to the users; Alexa getting hacked is one of them.
It can be a panicking situation for anyone who learns that their Alexa has been hacked. Unusual behavior, unexpected purchases, unknown apps, increased data use, unknown voice profiles, changes in settings, and strange communications are some ways to identify that Alexa is hacked.
There is more to learn and understand about whether Alexa is hacked. In this article, we will share the ways to know how Alexa is hacked, the common reasons behind the hacking, and ways to prevent it.
Check out our list of top-handpicked products for all your electrical, appliance, and HVAC system needs to keep your home running smoothly.This post includes some affiliate links.
Account Access Anomalies
There are several ways where unauthorized people can access Alexa accounts and create suspicious activities.
Below are some instances where there are higher chances of Alexa getting hacked:
Hackers build Amazon skills under false names
Users do many things with Alexa because third-party apps run on its platform, such as Spotify, Allrecipes, Headspace, etc.
Amazon calls these apps Amazon skills. By 2021, Alexa has gained around 100,00 skills.
Recently, Amazon has had particular needs while making a custom skill, but researchers found loopholes in it.
They have found skills under some company names, and there is no guarantee that these are genuine.
Researchers have even sent papers to Amazon, but Amazon insists they are secured and safe.
Hackers can create Amazon skills under false names and hack your Alexa through this.
User information can be collected through voice phishing
Some hackers send phishing attacks through voice squatting or skill squatting.
It is a developing systematic error that can lead users to enter false sites.
In 2018, hackers crafted phony Amazon skills that imitated widely used third-party applications.
This can lead the users to phishing sites that later ask for specific permissions and sensitive information.
Once you do that, hackers can access your Alexa and Alexa devices.
Alexa relies on voice, and to ensure that Alexa replies to known voices, users make voice profiles for Alexa to respond to those voices.
But since Alexa is a voice assistant, it sometimes begins to reply to anyone’s voice and even picks up incorrect words.
Attackers will use the wrong spelling on the evocative phrases of the other apps, for example, using Citybank (phishing app) instead of Citibank.
When the user says, “Alexa, open the Citibank app,” Alexa will open the phishing app instead of the actual banking app.
Hackers will ask for personal information when a user unknowingly enters the false site.
Since users will be unknown to this, they will give the hackers all the information they need about you.
Skill developers will alter backend codes
Amazon reviews and validates the certificates of the custom skills to prevent attackers from hacking your voice assistant or the devices using it.
However, developers can alter their backend codes after approval.
Attackers will take advantage of this situation, disguise themselves as reputed companies’ developers, and alter the backend codes to hack your Alexa or Alexa devices.
Most Amazon skills have undisclosed privacy policies
Most apps disclose the privacy policies where it shares how the developers collect and use data. But Amazon is an exception here.
A lot of Amazon skills do not disclose or publish privacy policies.
This can make the user’s privacy at risk.
Amazon is known to collect the voice recordings of Alexa users through specific skills.
Once the hackers learn these skills, targeting and hacking your Alexa devices becomes easier.
Amazon employees do the manual transcriptions
Though Alexa is a voice assistant, at the end of the day, it is humans who manage Alexa and make her a voice assistant for Amazon devices.
So, hundreds and thousands of employees listen to and review the audio clips daily.
Each person parses around 1,000 clips per shift.
The employees pick up and add phrases to the Amazon system to improve Amazon’s algorithm and ad tactics.
These employees will further send these recordings to other reviewers to help with the parsing.
They also do this if they find anything interesting or disturbing.
Though Amazon says reviewers cannot access the user’s personal information, investigations revealed that reviewers could see the user’s personal info, like first name, account number, and device’s serial number.
This does not mean the employees are hackers, as they work with strict contracts, but you never know.
Amazon Sidewalk can share your network with neighbors
Amazon Sidewalk is a program that can easily connect smart devices outside your house to a Wi-Fi network.
This works by making Amazon devices like Echo, Ring, and Echo dot to act as middlemen between Sidewalk and the network.
Other users, especially neighbors, can connect to this bridge.
Devices that need strong Internet connection get easily hacked via Wi-Fi connections.
So, sharing your network with your neighbors can be risky.
If any hacker stays in your area, you will never know unless the hacker hacks your Alexa or the devices by connecting to the bridge.
Laser lights can wake up Alexa
Laser-powered lights can activate the smart speakers of your home, even Amazon devices, and wake Alexa.
When hackers use laser-powered lights, they change the light to sound to hijack.
If this happens, the attackers can easily access your other smart devices.
Alexa lacks voice-recognition authentication.
So, hackers can easily access your smart assistant and hack the devices.
That is why voice-recognition profiles are essential, as they will help Alexa personalize the responses.
Hackers can set commands with frequencies
This is called Dolphin Attack.
Unlike laser-powered lights, you won’t be able to see or hear the Ultrasound frequencies.
So it is challenging to detect.
Alexa is a voice-activated assistant, and Alexa devices use voices.
But they also hear, interpret, identify, and understand frequencies.
So, this is another easy way for hackers to get access to your Alexa and Alexa devices.
Hackers can send frequencies through videos and broadcasts.
How to know if Alexa has been hacked?
“Alexa, play some relaxing music.” It sounds too convenient to have everything done for you without any effort.
You only need to command Alexa; she will do everything for you.
But what if you notice some weird behavior in Alexa? For example:
- Alexa responding to something it should not
- Your device has some unknown skills installed
- The data usage is unexpectedly higher than normal
These situations can be panicking and worrisome.
Maybe your Alexa is hacked, and someone else is spying on you.
Alexa can be hacked in various ways, especially by hijacking Wi-Fi routers, making false Amazon skills, voice squatting, or code alterations.
Hackers can hack the device in extreme conditions using laser lights and frequencies.
So, what will you do?
How will you find out if Alexa is hacked or not?
However, I never experienced such things. But one of my friends faced it.
She suddenly saw high data usage in her devices but never used that much.
Additionally, her Alexa device’s light used to turn on without any wake calls.
This happened with her for a few weeks. One day, she discovered some unknown skills in her devices and sudden ad pop-ups.
So, I took my friend to a tech expert. He said that maybe Alexa got hacked.
He changed the passwords and did other technical stuff to prevent the hacking.
The expert also suggested some ways to identify whether Alexa is hacked. Below, I have shared them.
If you ever suspect that your Alexa is hacked, take a look at these points and try to investigate:
If you notice that Alexa is doing some unusual behavior, it could be a sign that your Alexa is hacked.
However, do not declare that your Alexa is hacked just because it behaves weirdly 1-2 times.
At times, Alexa can misinterpret the wake words when there are too many background noises or people mention Alexa’s wake word while talking about something else.
When Alexa behaves weirdly for a long time, even after you have found the reasons behind the weirdness and fixed them, you can claim that Alexa is hacked.
For example, your Amazon Echo’s blue light will start beaming even if you never used the wake word for Alexa.
When you find these abnormalities, expect your Alexa to be hacked.
To prevent this, try to change the passwords of all the devices or consult a tech expert.
Also read: Why Is My Alexa Doing Random Things?
Changes in Settings
One day, you are going through the settings of Alexa devices and find sudden changes you do not remember doing.
I also sometimes forget about the changed settings I make.
But, if you are sure that you have not made specific settings in the devices or Alexa app, there are chances that your Alexa is hacked.
Try changing the settings as per your preference and keep checking them regularly.
If you again find the settings have changed, Alexa is likely to be hacked.
For example, maybe Alexa got permission to access some apps, which you have never confirmed.
Or, your Amazon app has some unknown apps linked to your profile account without your knowledge.
Change your Amazon password and go through the settings very carefully.
Remember the settings and preferences you have set.
If next time, anything happens, you will be able to know that your Alexa is hacked.
Contact the Amazon support team and consult a tech expert to discover the actual cause.
You go through your online shopping apps and discover unknown purchases you don’t recall.
Begin with investigating your house members, especially kids.
Today’s kids quickly learn handling technology.
So, it is common for them to buy anything at random.
One day, I, too, saw this and panicked, thinking that maybe my Alexa or any Amazon devices got hacked.
But thankfully, those were some toys. My brother’s toddlers bought them.
So, I keep the devices away from them, as sometimes kids can turn on the voice purchase feature.
It can lead to unauthorized purchases only by the command “Alexa, buy (item name).”
But the situation may be unsafe for you. Hackers can easily access your Amazon profiles and make random purchases without your knowledge.
Hackers can mimic the user’s voice and buy unexpected stuff.
If you find any unexpected purchases in your cart, unplug your devices, change passwords, and contact Amazon support for help.
Unknown Skills or Apps
One common sign indicating that Alexa is hacked is finding some apps you do not recall installing.
Especially third-party skills are to be blamed.
Apps or skills from reputed developers are safe to use.
But third-party apps have a lot of bugs and glitches.
Providing them permission can allow hackers to know about the details.
This can make it easier for them to hack Alexa and their devices.
If your Alexa is hacked, you will find unknown skills and notifications from these unauthorized apps.
You will also notice strange behaviors that Alexa never does.
Change the passwords and contact your Amazon support for help if you find this.
Avoid clicking and installing on any random skills or sites you get from unknown people.
Check the list of skills you have in your devices that use Alexa.
If you find any, uninstall them immediately.
Unrecognized Voice Profiles
The Alexa devices are designed to respond to voices registered with the specific device.
You can do this by making a voice profile.
The voice profile is an identifier that matches the user’s voice to the device.
Hackers can bypass this security and make a voice profile of their own, gaining control of your device.
The hacker will then be able to use Alexa for all the works and services you use it for, for example, turning on/off lights, TV, or even opening your door (if it is an electronic deadbolt).
The hacker would also be able to hear all your crucial conversations.
If you suspect Alexa is hacked, go to the voice profiles and find out if any unknown profiles have been created.
If you do not identify them, delete them immediately.
Change the passwords of all the accounts linked with Alexa and Alexa devices and reset your voice profile.
Enable two-factor authentication for extra safety.
I will discuss this later, so keep reading.
Device Access Logs
Device access logs help track the connections made in the devices where you use Alexa, like the IP address, the date and time, and the connection type.
When an unauthorized user gains access to any Alexa device, they can use it to make actions unknown to the actual user.
When you regularly monitor the device access logs, you can learn about these unauthorized connections and unusual actions and inspect them further.
You can also keep track of the unauthorized user’s activity and gather evidence during a security breach.
If you suspect Alexa is hacked, check the device access logging to find any unauthorized connections.
If you find any unauthorized connections, disconnect them, change Amazon passwords, and seek help from the Amazon support team or tech experts.
Increased Data Usage
You suddenly realize that the data usage of the Alexa devices is hugely higher than you usually use.
This can indicate that someone else is using your Alexa devices when you are inactive.
The hacker can use the device by hacking Alexa to send or receive data, listen to your conversations, and even collect your personal and vital information to misuse them.
All these activities will lead to a sudden increase in data usage, which indicates that your Alexa is hacked.
The device running slower than usual is also a sign.
You need to check the data usage regularly to see if there is any increase in it.
Additionally, change your passwords, reset the voice profiles, and seek help from the Amazon support team.
Email or Account Notifications
Nowadays, when anyone tries to log in to your account, you will receive an account notification or an email about the login.
This happens when you use your information to login into your account on a different device.
You will receive a notification every time you log in from a device.
To receive notifications, you must go to the security login option, where you will get another option for receiving alerts about unrecognized logins.
Sometimes, house members can be blamed.
But if they did nothing, some hacker is trying to use your account.
Whenever you receive these notifications, change your Amazon password.
For extra safety, use the 2-factor authentication in your Amazon account. This provides an extra layer of security.
Since Alexa runs with software, tampering with the Alexa devices to hack your Alexa may not be possible.
However, using hardware products like smart bugging or introducing malware into the Amazon Echo and Echo Dot devices can make hacking possible.
With these, the hacker will learn about your Amazon passwords and every other detail when you talk about them to someone.
In 2017, a British hacker managed to install malware in a person’s Amazon Echo, which turns the device into a remote listening device.
Mark Barnes has discussed a technique where hackers can stream audio from all Amazon devices with a soldering SD card.
However, the process is not easy and cannot be done remotely.
Additionally, Amazon has declared that hackers can’t do such processes in the Amazon Echo devices produced after 2017.
However, if you feel that someone is spying on you for which you are receiving weird behavior from Alexa, along with the above points, also check for any physical tampering with the devices.
Alexa can interact with outside servers with the help of APIs.
When you ask Alexa to perform a task, it will request the server hosting the API for the requested task.
The server will respond and send it back to Alexa to provide you with the task’s reply.
There have been incidents of Alexa trying to contact unknown external servers.
If hackers can access Alexa devices, they will send data from your device by communicating with Alexa to servers of different locations.
And this will happen without your knowledge.
One day, I was talking to my friend who had brought a new Amazon Echo.
He told me that his Alexa suddenly started calling an unknown number one day.
So, he immediately changed the passwords and sought professional help.
If you suspect such things, check the device log to determine whether Alexa communicates with external or unknown servers.
Change your Amazon account passwords immediately, report to the Amazon support team, and turn on the two-step authentication for extra security.
Check your Alexa devices and accounts regularly for weird behaviors, unknown sources, extra data usage, etc., to understand whether anyone is hacking your Alexa or Alexa devices.
Two-factor authentication is a security feature that protects an extra security layer for your Amazon accounts and devices.
Along with putting in the account password, your phone number should receive a code the user needs to enter before the final login.
Only then can the user access the account.
In a summit held in 2017, it was said that since Alexa does not need two-factor authentication, accessing Amazon accounts is easier, especially for people who can get an individual’s Amazon credentials and Alexa devices.
So, since Amazon accounts have the two-factor authorization feature, using it can reduce the risk of getting hacked.
How to enable Two-Factor Authentication (2FA) for Amazon accounts?
To turn on the 2FA feature in your Amazon account, first, you need to stay logged in to your account. Next, follow the following steps:
- Go to your Account → Login and Security → Edit button next to Advanced Security settings.
- On the top side of the page, next to Advanced Security Settings, click on GET STARTED.
- You will receive options about how to receive the 2FA codes. There will be an AUTHENTICATOR APP and PHONE NUMBER.
- By choosing the PHONE NUMBER, you will put your phone number; with every log in, your number will receive an OTP. You have to enter the OTP and then log in.
- As for the AUTHENTICATOR APP, first, install the app, and open it to add an account.
- If you use the Amazon website, scan the QR code shown by Amazon and follow the instructions in the app.
- If you use the Amazon app, copy the extended code and add it manually to the AUTHENTICATOR APP. Type the code by the app into the ENTER OTP textbox on the page and click VERIFY CODE AND CONTINUE.
- If you use the Amazon website, the next stage will be information about how to use the 2FA feature for a device that cannot display the second screen.
Now, on the website, there is no information about what devices are used, but images suggest the old Kindle versions.
On the page, inform Amazon that your current browser does not need a 2FA check by clicking the DON’T REQUIRE CODES ON THIS BROWSER checkbox.
You should do it if you are using your own computer or laptop.
Once the browser you use is set to DELETE COOKIES WHEN YOU CLOSE THE BROWSER DOWN, it won’t work unless you tell the browser to make an exception for Amazon cookies.
Next, click on GOT IT.
Now, turn on the TWO-STEP VERIFICATION, and you have completed it.
Next, you will reach the ADVANCED SECURITY SETTINGS page.
Amazon will not give you backup codes if you have a problem with the 2FA.
It will send you an SMS if your AUTHENTICATOR APP is not working.
On the ADVANCED SECURITY SETTINGS, you will see a BACKUP METHODS section, with the option ADD NEW PHONE.
Use this as a recovery phone to receive the SMS if you lose your primary number.
If you don’t have any, use the phone number of a trusted person.
Otherwise, you must contact the Amazon support team if your account is hacked and you cannot access it anymore.
Security Best Practices
Getting fooled by hackers in today’s world is easy.
Along with improved technology, the methods of hacking have also improved.
At the same time, several practices can help prevent hacking.
Ultimately, being careful and not responding to all types of apps and skills is the most important thing a user should do.
In this section, I will share some best security practices and tips every user should follow to protect Alexa and the devices from getting hacked:
- Keep your devices, Amazon, and Alexa apps up to date. The developers keep improving the security with every update. So, with updated apps and devices, the chances of hacking will be reduced.
- Use two-factor authentication to add an extra security layer to your apps and devices. This feature will ask you to enter a code from your smartphone besides putting in the account password. And without this code, no one can access your account.
- Keep checking your apps regularly for unknown activities, like unknown purchases, high data usage, strange communications, unknown voice registration, etc. Change your account password and reset or restart your devices whenever you see such things.
- Do not use the same password all the time. Set a particular time and change the password regularly. It will keep the hackers from knowing the password and hacking Alexa or the devices.
- Use a strong and personal password so hackers cannot easily guess and use them.
- Keep your Alexa devices in a secure location where no one can tamper with them.
- Turn on the feature that allows you to receive notifications and emails whenever anyone tries logging into your account through a different service.
- Use the Do not send voice recording option to keep your Amazon store your voice. With this, hackers cannot mimic your voice and misuse Alexa.
- Instead of using the default wake word, try something else.
Reporting and Response
If you ever suspect that your Alexa or the Alexa devices have been hacked, do the following things for the time being:
- Check your device for unusual behaviors, like Alexa doing random things not commanded, sudden purchases, battery draining faster, a device running slowly, high data usage, etc.
- Also, check for unknown external servers, strange communications, and unknown authorizations.
- Change the passwords of your Amazon accounts and Wi-Fi immediately.
- Delete all the voice profiles you have created, and reset them again.
- Restrict remote access.
- Disconnect or reset your device.
- Scan for malware.
- Contact and report it to the Amazon support team.
- If you have any tech friends, consult them for expert suggestions.
In today’s tech world, along with the increased usage of technologies and the introduction of new ones, the hacking method has also improved. Alexa no doubt makes our lives easier, but you need to be careful while using it. Remember that both Alexa (the assistant) and Alexa devices can be hacked.
Besides the several instances that indicate how Alexa can be hacked, there are ways to identify and even fix it. Use the methods I have shared to identify whether your Alexa is hacked. To keep Alexa and Alexa devices safe, avoid entering any random sites, keep changing the passwords of your accounts and Wi-Fi regularly, reboot your devices every 2-4 weeks, use two-factor authentication, and use the voice-recognition profile.
If you suspect that Alexa is already hacked, check the privacy concerns, unplug and reset your device, change all the passwords and use strong passwords, reset the voice profiles, and contact Amazon support for help.
Does Alexa follow commands from anyone?
Since Alexa lacks voice-recognition authentication, she will follow commands from anyone. You can use the voice-recognition profile to help Alexa respond to only personalized words to prevent it.
What wake words can I use except the default one?
Alexa is the default word for all Alexa devices. So, hacking becomes convenient. Try using something else like Amazon, Computer, Ziggy, Echo, or Hey Disney. You can use the word twice to make a wake word, for example, Echo, Echo, or Hey Disney, Hey Disney.
Reference: Amazon Alexa Wikipedia