// first 10 minutes
smart home compromise — quick-start
smart home compromise — first 10 minutes. change credentials before logs rotate. print this, check boxes, then run the primary tools.
checklist
- change the password on the smart home hub account (Google Home, Amazon Alexa, Apple HomeKit) immediately — these control all devices.
- revoke all third-party integrations and linked apps from the hub account — OAuth access is the most common attack vector.
- pull the activity log / history from each affected device: camera, lock, doorbell, thermostat — timestamp the export.
- check for new or renamed routines, automations, or schedules that the attacker may have created.
- check whether any device PIN codes were changed (door locks, garage openers) — attacker may have added their own.
- export the smart speaker voice history (Alexa history, Google assistant activity) for the incident window.
- check home router DHCP lease table for unrecognized devices that may have joined the network.
- photograph or screenshot the device list in the hub app — note any device the victim does not recognize.
- check if the hub account has any new authorized users or family-member invitations the victim did not create.
- begin the primary tool path below — smart home access log analyzer.
primary tools
- 01alexa voice history forensic extractordrop alexa activity json csv or zip export · categorize voice commands · build timeline · infer usage presence windows · csv json export · runs locally
- 02google home artifact forensic analyzerdrop assistant my activity exports json html or zip · categorize cast speaker routines · device phrase inventory · timeline csv json · runs locally
- 03homekit accessory forensic analyzerdrop home backup zip or plist files · scenes triggers automation accessories · surface geofence lat lon · plist runs locally · csv json export
- 04ring camera artifact forensic extractordrop ring exported json csv or zip timelines · ding motion alarm ingest classification · utc hour occupancy heuristic · csv json export · runs locally
- 05nest camera forensic analyzerdrop nest google takeout json csv zip fragments · postal_code extraction · familiar visitor labels · activity zone inventory · csv json export · runs locally
- 06smart lock access forensic analyzeraugust/schlage csv · code slot NAMES · unlock→lock sessions · late-night anomalies · attributable keypad access · csv/json export · runs locally
- 07smart thermostat timeline analyzernest json · ecobee csv · generic mode csv · away/home cues · vacation windows · utc routine bands · corroborative occupancy · csv/json export · runs locally
- 08smart tv artifact forensic extractorsamsung lg json walks · viewing · apps · search · account linkage cues · heuristic timeline · csv/json export · runs locally