“As miscreants learn that the pranks they can pull with this, Amazon's going to be investing more and more into stopping these pranks, “ said Bob Gourley, co-founder of Cognitio Corp, a firm that does security consulting. “But there are going to be pranks, you can be sure of that.”

Pranks covers a wide range of activity, from a kid ordering a favorite toy over Amazon without parental permission to hackers finding their way into the device to watch live video inside a home. Gourley specifically highlights Shodan, a search engine that finds internet-of-things devices and, if they're unsecured, lets outsiders watch video from cameras set up inside homes. Amazon has likely thought of this and included security features like requiring a voice pin before purchases that make it harder for anyone to simply gain access to all the device's features. Still, it's theoretically possible that a person could find a different internet-connected device, like a nanny cam with a default password, and then try to use that access to get into the Echo Show.

“Amazon likes building with Linux,” said Gourley, “so we can assume this is a Linux tablet with the Amazon build of Linux and probably some additional security. There's something out there for hackers to target.”

More likely are actions that take advantage of the Echo responding to any voice. Echo at present does not distinguish between the people who own it, their children, houseguests, or even television ads. (Earlier this year, an ad for Burger King activated a similar listening feature on Google devices.) Right now, Amazon mitigates this by letting users change the default word that wakes up Alexa to one of a preselected set of phrases, which provides a modest increase in security. Letting users create custom wakeup words would make it a lot harder to take over the machine by voice activation. Amazon also recommends users turn off the microphone on Echo devices when away from home, so someone can't just ask Alexa to open a garage door.

These smart hubs need to be connected to the internet to work, which opens up the possibility of a malicious actor accessing the devices. The first weak point in that chain, then, is how much users actually trust a company like Amazon. “Amazon recordings get transmitted to Amazon servers,” said Jay Stanley, a senior policy analyst at the ACLU. “Amazon is a household-name company, and it has to worry about its public image, which is a significant check on what it's likely to do. Amazon has a published privacy policy that people can inspect, and with existing versions of the Echo, Amazon will let users go online, listen to all the audio they've collected, and then delete it if they like.”

This is important, because the second weak point for data transmitted by an Echo is the law and the government. This is a function of third-party doctrine, where data held by an intermediate company loses the protections of private communication, like if someone was making a call with a payphone in an old public telephone booth. But that runs into conflict with devices like Echo, which stores data outside the home in Amazon's servers, and which people use in the privacy of their own home, an area traditionally regarded as having extra constitutional protections. Is the Echo's data private because the conversation took place in the home, or is it less protected because Amazon stored information about that conversation elsewhere?

When it comes to getting information recorded by an Echo, “We think [law enforcement] should definitely have to get a warrant, and that obtaining that information may rise to a higher standard,” said Stanley. Still, “At the end of the day, if Amazon has your data, and if the government comes for it, Amazon can fight it in court. If they lose the government can get your data.”

This is what happened in Arkansas, when Amazon was asked to turn over data recorded by an Echo in case it might add evidence to a murder case. Amazon pushed back on the warrant, before eventually handing over the data at the request of the defendant's counsel. (In that case, Amazon also audaciously argued that Alexa, as an AI used by Amazon, had speech rights).

The convenience of the Echo is that it is an always-listening device, ready to respond to a query by sound alone. With an added camera and screen, that remains the main appeal of the device. The Echo Show is new, so we don't yet know what unique flaws it may contain, but some weaknesses are the same as before: A device that is always listening and stores data outside the user's home requires continued management from Amazon, may have less legal protections from the government than if the data is stored inside the home, and it could provide an entry point for hackers.