How to Tell If Your Home Assistant or Alexa Was Compromised: Security Audit Guide
Smart home assistants like Amazon Alexa and Home Assistant have become central to our digital lives, controlling lights, locks, thermostats, and accessing sensitive information. Knowing how to detect if these devices have been compromised is essential for maintaining your privacy and security. This guide covers the key indicators of compromise, how to audit your devices, and practical steps to secure them.
Signs Your Smart Assistant May Be Compromised
Detecting a compromise early can prevent further intrusion. Here are the most common warning signs:
Unusual Activity on Your Account
- Unexpected voice recordings in your history that you do not recognize
- New smart home devices added to your account without your knowledge
- Automation routines you did not create, especially those that trigger at odd hours
- Unfamiliar smart home groups or scenes configured in your system
- Changes to account settings such as phone numbers, email addresses, or payment methods
Device Behavior Anomalies
- Microphone activating spontaneously when not triggered by the wake word
- Lights blinking or devices activating without corresponding voice commands or automation triggers
- Unexpected reboots or firmware updates you did not initiate
- Increased network traffic from your smart device when idle
- Lag or delayed responses that persist after network troubleshooting
Network-Level Indicators
- Unknown devices connected to your network with MAC addresses you do not recognize
- Unusual DNS queries from your smart devices to suspicious domains
- Increased data usage that cannot be attributed to normal operation
- Port scans or connection attempts from your smart home hub to external addresses
How to Audit Your Amazon Alexa
Review Voice History
- Open the Alexa app on your mobile device
- Go to Settings > Alexa Privacy > Review Voice History
- Filter by date and carefully examine recordings you do not recognize
- Note any recordings that occurred while you were away from home
- Delete suspicious recordings and history
Check Activity and Smart Home Devices
- Navigate to Settings > Account Settings > History
- Review the full activity log for unrecognized commands
- Go to Settings > Alexa Privacy > Manage Your Alexa Data
- Review connected smart home devices and remove any you do not recognize
- Check for้็ skill permissions in Settings > Skills > Your Skills
Audit Alexa Skills
- Open the Alexa app and go to Skills
- Review all installed skills, especially those you did not intentionally install
- Remove skills that request excessive permissions:
- Access to voice recordings
- Contact list access
- Payment permissions
- Home network control
- Disable skills you no longer use
Check for Unrecognized Routines
- Go to More > Routines in the Alexa app
- Review all active routines, noting their triggers and actions
- Look for routines that:
- Run at unusual times
- Control multiple devices unexpectedly
- Send notifications or emails
- Interact with third-party services
How to Audit Your Home Assistant
Review the Logbook
- Access your Home Assistant web interface
- Navigate to Configuration > Logbook
- Filter for unusual time periods when you were not home
- Look for:
- Unexpected device state changes
- Automation executions you did not trigger
- Unknown user logins
- Service calls to unfamiliar integrations
Check Automation and Script Executions
- Go to Configuration > Automations
- Review all automations for:
- Unknown or recently added automations
- Automations with HTTP requests to external services
- Automations that trigger on unusual events
- Hidden or disabled automations that may have been intentionally concealed
- Check Configuration > Scripts for unfamiliar scripts
- Review the automation trace history for unexpected triggers
Audit Users and Permissions
- Navigate to Configuration > Users
- Review all users, paying attention to:
- Unknown or newly added users
- Users with administrator privileges you did not create
- Service accounts with broad access
- Check Long-Lived Access Tokens in your user profile
- Revoke any tokens you do not recognize or that are no longer needed
Network Monitoring for Home Assistant
If you have network monitoring capabilities:
- Review DHCP leases for unknown devices
- Check your firewall logs for unusual outbound connections from your Home Assistant server
- Monitor DNS queries from your Home Assistant IP address
- Look for connections to known malicious IP addresses or domains
Verify Integrations
- Go to Configuration > Integrations
- Review all installed integrations, especially:
- Third-party cloud integrations
- Custom integrations from unknown sources
- Integrations with access to sensitive data
- Remove any integrations you did not intentionally install
- Check for unofficial or fake integrations masquerading as legitimate ones
Securing Your Smart Assistants
After auditing, take these steps to harden your devices:
Amazon Alexa Security
- Enable two-step verification on your Amazon account
- Use a strong, unique password for your Amazon account
- Enable voice PIN for sensitive actions like unlocking doors
- Disable voice purchasing or require a confirmation code
- Regularly review and delete voice recordings
- Use Amazon Kids+ if you have children to enforce additional controls
Home Assistant Security
- Enable secure authentication with long, unique passwords
- Use two-factor authentication for remote access
- Keep Home Assistant updated to the latest version
- Run Home Assistant behind a VPN for remote access instead of opening ports
- Use SSL/TLS certificates for all external connections
- Implement network segmentation by placing smart devices on a separate VLAN
- Disable unnecessary integrations and cloud connections
- Use the password-protected mode for sensitive automations
General Smart Home Security
- Change default passwords on all IoT devices
- Update firmware regularly on all smart devices
- Use a separate network for smart home devices
- Enable network-level firewalls and intrusion detection
- Review third-party access and revoke permissions you no longer need
- Monitor your network traffic for anomalies
- Use a password manager for all smart home account credentials
Automated Monitoring Script
For Home Assistant users who want ongoing monitoring, this shell script checks for unexpected automations and logs recent activity:
#!/bin/bash
# Home Assistant: export recent logbook entries via API for offline review
HA_URL="http://homeassistant.local:8123"
HA_TOKEN="your_long_lived_access_token_here"
# Fetch last 24 hours of logbook entries
curl -s -H "Authorization: Bearer ${HA_TOKEN}" \
-H "Content-Type: application/json" \
"${HA_URL}/api/logbook?hours_to_show=24" \
| python3 -m json.tool | grep -E "(entity_id|message|when)" \
| head -100
# List all automations and their last-triggered time
curl -s -H "Authorization: Bearer ${HA_TOKEN}" \
"${HA_URL}/api/states" \
| python3 -c "
import json, sys
states = json.load(sys.stdin)
autos = [s for s in states if s['entity_id'].startswith('automation.')]
for a in autos:
print(a['entity_id'], a['attributes'].get('last_triggered','never'))
"
Responding to a Confirmed Compromise
If you determine your device was compromised:
- Disconnect the device from the network immediately
- Change passwords for all associated accounts
- Revoke API keys and access tokens
- Factory reset the compromised device
- Review and remove any unauthorized smart home devices
- Check for financial impact if payment information was stored
- Enable additional security measures before reconnecting
- Monitor for future suspicious activity more closely
- Report the incident to the device manufacturer
- Consider identity monitoring if sensitive personal data was exposed
Related Reading
- Replace Google Home with Local Voice Assistant Using
- How To Set Up Home Assistant Esphome For Completely Local Sm
- How To Use Tailscale To Access Home Assistant Remotely Witho
- How To Tell If Your Router Has Been Compromised Check Guide
- How to Check if Your Smart Home Devices Are Compromised
Built by theluckystrike โ More at zovo.one