An ABC7 I-Team Investigation
CHICAGO (WLS) -- Millions of people have smart hub devices like the Amazon Echo and Google Home, but they could be putting users' privacy at risk.
The I-Team tested the devices with experts and found potential vulnerabilities that could be used by hackers and thieves.
The devices act as home assistants who respond to verbal command words.
The I-Team found that the Amazon Echo app for Alexa records and saves users' conversations -- even if the smart hub device only "thinks" it hears the word "Alexa."
Brian Liceaga, of the Evolve Security Academy, found even more personal information.
Experts said they can be an identity thief's dream if users don't have a pass code on their phone or tablet, or if those devices are on unsecure Wi-Fi networks.
"So they can start building a profile around you and execute a social engineering attack. So they might know when you're going on vacation, they know your interests, they might know things that you've looked up, that you've asked the device," said Liceaga.
The I-Team inspected an Echo belonging to a man known as "Professor Fraud."
"If it thinks it hears the name 'Alexa,' it wakes up and starts recording. So it's potentially an invasion of privacy and also potentially embarrassing," said William Kresse, a professor at Governors State University.
Amazon said the saved recordings are stored to improve accuracy and make the product better, but they can be deleted individually or all at once.
The I-Team also found that Kresse's answering machine could be used to control Alexa via voice commands. This could be used by a burglar checking to see if anyone is home or even a neighbor trying to order something for themselves.
"Now Amazon has the option to put in a four-digit code whenever you want to place a purchase order. Otherwise, anyone could just say a few words - even accidentally - and the next thing you know, you've got a delivery coming to your house," Kresse said.
The I-Team also examined a Google Home, which belongs to Patrick Connor, the husband of an ABC7 employee, and the Google app for it.
"I had no idea that I could go back and even hear my own voice on my own phone. I think what was most alarming to me was that it even seemed to be recording before I said 'Okay Google,'" Connor said. "So now I'm wondering, 'Is this thing always listening? Is it always on?'"
Google said the device only stores audio after recognizing the words "Ok Google" or "Hey Google," but said that content is sent to Google servers. Google officials also note that voice history can be deleted, similar to web history.
The I-Team also tried to hack both devices.
Expert were able to locate the Google Home but couldn't crack into either.
Amazon and Google both said devices go through extensive security and privacy reviews.
"Amazon and Google have, not only large security teams, but some of the best in the world and the best talent in the world," Liceaga said.
But he says you should still be skeptical over that extra set of ears.
"This device that's always there and listening, we have to use it with caution and safety," Liceaga said.
Users may want to mute devices when not in use to prevent unwanted recordings.
For the Echo, users can turn off voice purchasing or even chose between two other command words instead of "Alexa."
Also, users should make sure software for the device is updating automatically.
Experts also said that the riskiest vulnerabilities aren't in the smart hubs themselves, but in those apps or accounts on your tablets and computers.
"Their windows computer might actually have the password to the amazon account in which case I can bypass this all together," Liceaga said.
Liceaga said users should put smart hubs on a guest Wi-Fi network which is separate from the one used by other devices to create a barrier between the smart hubs and other devices. Experts also suggest changing the smart hub device name on the Wi-Fi so it can't be detected.