How Hackers Hack Smart Home Devices — and How to Protect Yourself
How attackers exploit Alexa, Google Home, and smart-home ecosystems — and how to defend.
🛡️
Defender's Guide
This is a defender-focused resource covering attack patterns at a conceptual level so you can recognise threats and protect yourself or your organisation. The page does not include step-by-step exploitation procedures. If you suspect you are currently being targeted or have been compromised, scroll to the recovery section below.
What attackers want from Smart Home Devices
Smart home devices — Alexa, Google Home, smart locks, smart thermostats, smart bulbs, smart plugs, smart appliances — accumulate fast in modern homes. Each one is an internet-connected computer with its own attack surface, varying levels of vendor security commitment, and often a long lifecycle measured in years where vendor security attention may decline. The aggregate attack surface across a typical smart home is much larger than people realise.
The realistic threats range across categories: account compromise (someone accessing your Alexa or Google account gains visibility and control over devices linked to it), device-level vulnerabilities (older smart bulbs or plugs with weak security used as network entry points), voice assistant manipulation (commands issued from outside the home through smart speakers placed near windows), and abandoned/unsupported devices accumulating known vulnerabilities over years.
For most households, the protection priorities are straightforward: secure the cloud accounts that smart devices connect to (Amazon, Google, Apple), put smart devices on a separate network from sensitive devices like laptops and phones, prefer reputable manufacturers with ongoing security support, and replace devices that are no longer receiving updates rather than letting them accumulate vulnerabilities indefinitely.
How attackers actually do it
Conceptual attack categories, not exploitation procedures. Understanding these patterns is what lets you recognise and defend against them.
Cloud account compromise (Amazon, Google, Apple)
Smart home devices typically connect to a cloud account. Compromise of that account grants access to all linked devices — see camera feeds, control locks, monitor activity. Account compromise is more common than device-level compromise for typical users. The cloud account becomes the keys to the smart home.
Devices with weak default credentials
Many smart devices ship with weak default passwords — sometimes the same credentials across all units of a model. Devices with admin interfaces accessible on the local network with weak credentials are easy targets for anyone briefly on the network (visitor, compromised guest device).
Outdated firmware on long-lived devices
Smart bulbs, plugs, thermostats from 5+ years ago may no longer receive firmware updates. Vulnerabilities discovered after vendor support ends remain exploitable indefinitely. The device continues working as expected; the security degrades over time.
Voice command exploitation through walls and windows
Smart speakers (Alexa, Google Home) placed near windows can hear voice commands from outside. Researchers have demonstrated voice commands via lasers (the "light commands" attack), through walls with sufficient volume, and via TV/radio audio injecting commands. Specific to voice assistants; mitigations include placement away from external walls and using voice match where available.
Abuse via legitimate smart-home features in stalking scenarios
Smart locks, cameras, thermostats, and lights can be used by abusive partners to monitor, harass, or control victims. Legitimate features used for illegitimate purposes — changing thermostat from outside, watching cameras after relationship ends, restricting smart lock access. Coalition Against Stalkerware and similar organisations document this pattern.
Botnet recruitment via vulnerable devices
Mirai-family botnets specifically targeted IoT devices with default credentials. Compromise often does not noticeably affect the user; device is recruited into botnet and used for DDoS attacks against third parties. Major contributor to internet-scale attack capacity.
Network pivoting via compromised IoT to other devices
Compromised smart device on the same network as laptops, phones, NAS units provides launching point for attacks against those higher-value devices. Even if attacker only initially compromised a smart bulb, they may be able to use it for further attacks. Network segmentation (separate guest network for IoT) limits this.
Privacy data exposure via vendor breaches
Smart devices generate significant data — voice recordings, video, occupancy patterns, device usage. Vendor breaches expose this data even when individual devices are secure. Past breaches have included voice recordings, camera footage, location patterns, etc.
How to recognise compromise
Signs that your smart home devices may have been compromised:
Smart devices behaving in ways you did not initiate
Lights turning on/off you did not control, thermostat changing without your input, smart locks unlocking unexpectedly, voice assistants responding to commands you did not give. Investigate via account activity logs and device-specific apps.
Account activity from unfamiliar locations or devices
Amazon, Google, Apple cloud accounts show recent activity. Reviews show access from unusual locations or devices may indicate account compromise — and via account, smart-home device compromise.
Voice assistant history shows commands you did not give
Alexa and Google Home both retain command history accessible via app. Commands you do not remember giving — especially attempts to access sensitive data, control other devices, or make purchases — warrant investigation.
New smart-home automations or routines you did not create
Routines, automations, scenes appearing in smart-home apps that you did not configure. Indicates either someone with account access setting them up, or installed third-party app/skill creating them.
Notifications about device activity at unusual times
Smart locks unlocked when you are not home, doorbell rung when no one is there, lights changing during periods you should be elsewhere. Some are mundane (visitor at door, scheduled automation) but unexplained patterns warrant investigation.
Cloud account 2FA being challenged unexpectedly
If your Amazon/Google/Apple account challenges you for 2FA when you have not been logging in, someone else is attempting access. Strong signal to investigate account security.
What actually protects you
Concrete actions ranked by impact. Items marked critical are the highest-leverage protections; do those first.
Strong unique password and 2FA on all cloud accounts (Amazon, Google, Apple)
Smart-home devices link to cloud accounts; security of those accounts determines smart-home security. Hardware security key or app-based 2FA on each. Password manager generating unique strong passwords. Most "smart home hacks" are actually cloud account compromises; protecting accounts is highest leverage.
Put smart devices on a separate network (guest WiFi or dedicated VLAN)
Most modern routers support a guest WiFi network isolated from main network. Put smart bulbs, plugs, cameras, voice assistants, thermostats, smart appliances on guest network. Keep laptops, phones, NAS on main network. Compromise of a smart device cannot directly attack devices on the other network. Significant blast-radius reduction.
Buy from reputable manufacturers with ongoing security support
Major smart-home brands (Amazon, Google, Apple, Philips Hue, Sonos, Ecobee, Nest) generally provide ongoing security updates for their devices. Cheap unbranded alternatives often have weaker security and minimal update commitments. The cost difference is often modest; the security and lifecycle difference is significant.
Replace devices that no longer receive firmware updates
Periodically check whether your smart devices are still supported by manufacturer. Devices abandoned by vendor accumulate vulnerabilities indefinitely. Replacing 5-year-old smart bulbs is annoying; running them with known vulnerabilities is gradually worse. Vendor support timeline should factor into purchase decisions.
Disable features you do not use
Each enabled feature is potential attack surface. Disable voice purchasing if you do not use it. Disable remote access if you only use devices on local network. Disable third-party skill/action installation in voice assistants. Smart-home defaults often optimise for capability over security.
Voice assistants and smart-home hubs allow third-party integrations. Each is potential attack vector. Quarterly review; remove anything you do not actively use. Old installed skills accumulate over years.
Disable voice purchasing or require PIN
Voice assistants enable purchasing by default. Requires PIN for purchases or disable entirely if you do not use it. Several incidents of children, TV ads, and pranksters making unauthorised purchases via voice assistants.
Place voice assistants away from windows and external walls
Voice command attacks (laser injection, audio through walls, TV/radio injection) require proximity. Smart speakers in interior locations away from external walls are harder to target.
For high-sensitivity rooms, consider not having internet-connected devices
Bedrooms and home offices may not need smart bulbs, voice assistants, or smart appliances. Each device is data exposure and attack surface; deciding what NEEDS to be smart vs. what could be dumb is reasonable security thinking.
Monitor for unusual outbound traffic from IoT network
For users with capable routers, monitoring outbound traffic from IoT segment can detect compromise (unusual destinations, large data uploads, unexpected protocols). Higher-end consumer routers (UniFi, eero+, Asus AiProtection) provide some visibility; prosumer hardware provides more.
Frequently Asked Questions
Always listening for the wake word ("Alexa", "Hey Google", "Hey Siri"). Audio before wake word is processed locally on device, not sent to vendor — that's how the device knows when wake word occurs. After wake word detected, audio is sent to cloud for processing. Privacy concern is real but not "everything you say is sent to Amazon" — more nuanced.
Possible via several paths: cloud account compromise (most common), vulnerable device with internet exposure, compromise of router providing access to internal network. Probability depends on configuration — strong cloud account security and segregated IoT network make remote compromise much harder.
Tradeoff. Pros: convenient access management, audit trail of who entered when, remote unlock for guests/contractors. Cons: another internet-connected device to maintain, potential for unauthorised access via cloud compromise, mechanical reliability concerns with electronic components. Reputable smart locks (August, Yale, Schlage Encode) from well-supported manufacturers are reasonably secure; cheap alternatives often less so. The mechanical/physical security of the lock matters as much as the digital security.
Indicators: command history shows commands you did not give, automations or routines created that you did not set up, account activity from unfamiliar devices/locations, devices behaving in ways you did not initiate. Both Alexa and Google apps show command history; review periodically.
Often less safe. Cheap devices frequently have weaker security defaults, shared default credentials, minimal firmware update commitments, and shorter vendor support lifecycles. Reputable brands cost more but generally provide ongoing security support. The cost difference is often modest; the security and lifecycle difference is significant.
Matter is an industry-standard protocol designed to work across vendor ecosystems. Generally improves interoperability and reduces vendor lock-in. Security model is reasonably good. Worth considering for new devices when supported by your hub. Not a magic security bullet but generally a positive direction.
Possible if they have access to the cloud accounts smart devices link to, or set up smart-home hub themselves. Smart locks log entry/exit, cameras can be viewed remotely, voice assistants log commands, thermostats and lights show occupancy patterns. In healthy relationships, this is not a concern; in abuse situations, it can be ongoing surveillance and control. Coalition Against Stalkerware has guidance for these situations.
Factory reset before disposal (wipes WiFi credentials, account links, locally-stored data). Some devices retain data beyond reset (use specific manufacturer disposal guidance). For devices with sensitive data (cameras with stored footage, smart locks with access codes), more careful disposal warranted. Donate or sell only after thorough reset; e-waste recycling for devices reaching end of life.
Reasonable choice for high-sensitivity environments. Most consumers will accept smart-device convenience with reasonable security practices (strong cloud account security, separate IoT network, reputable brands, ongoing replacement of unsupported devices). Critical decision is which devices NEED to be smart vs which could be dumb — resist the assumption that everything benefits from internet connectivity.
Apple HomeKit has the strongest privacy positioning (end-to-end encryption, local processing where possible). Google and Amazon ecosystems are widely supported with reasonable security but more cloud-dependent. Open-source options (Home Assistant, OpenHAB) provide more control but higher complexity. Choice depends on values — privacy-maximising (Apple), interoperability (Matter-compatible across vendors), or self-hosted (Home Assistant).