Security researchers have discovered a vulnerability in the Amazon Echo that would allow an attacker to install malware and spy on the user through the device’s microphone.

The discovery was made by security experts at cyber security research and development firm MWR Labs, who found an exploit in the hardware design of Amazon’s AI assistant-powered speakers that could turn the speaker into a wiretap for hackers.

Read: Alexa Connected To The CIA? Amazon Echo Tripped Up By User's Question

The exploit affects the 2015 and 2016 models of the Amazon Echo, though it’s worth noting the attack cannot be carried out remotely. It requires physical access to the device itself, limiting the widespread risk—though still making the speakers vulnerable to targeted attacks.

To carry out the hack, a malicious actor will have to remove the rubber base of the Amazon Echo and expose its debug pads, where a person can boot the device from an external SD card. The Echo will attempt to boot from the SD card before attempting to boot from the internal components.

If an attacker is able to gain access to an Echo and boot from the SD card, they are granted remote root shell, or administrative, access. Such access would allow the attacker to install malware on the device and remotely listen in to anything picked up by the Echo’s “always listening” microphones.

For the user of the Echo, the fact the device has been compromised will be essentially unnoticeable. The attack doesn’t affect the functionality of the device. Behind the scenes though, the malware sends the raw microphone recordings to a remote server for an attacker to play back.

Read: Amazon Echo Assistant Speaker Auto-Calls Police During Domestic Assault

While the fact the attack can only be carried out through a physical move is inherently limiting, it doesn’t mean that users are not at risk. Some hotels offer Amazon Echo devices in a visitor’s room, and those devices could be compromised at any time. A person may also purchase a used Echo that has been hacked.

It’s also possible that a device may be hacked within a person's own home by someone with access to it. An abusive or jealous partner may hack the device to keep tabs on another person or collect potentially suspicious recordings of them.

Owners of the newest model of the Echo need not worry, as the 2017 version of the device is not vulnerable to the attack thanks to a modification to the hardware. Devices produced in 2015 and 2016 are still at risk.

For those who are concerned their device may be at risk, the first step to take is to check the device’s model number. If the number ends in “02,” the device is a 2017 model and is not at risk. Any other model number will indicate an earlier model that may be vulnerable.

To prevent such an attack from keeping on ongoing recording of all conversation, users can use the physical “mute” button on the device that disables the microphone. The button cannot be overridden by the device’s software.