Mark Barnes, who works with British cybersecurity consultancy MWR InfoSecurity, detailed his trick in a Tuesday blog post. He said the technique made it possible to install malware and surreptitiously stream audio from the microphone, which is intended as an interface for giving commands to Amazon’s Alexa virtual assistant.

On the bright side, this is not an attack that can be perpetrated remotely from a hacker’s basement – the attacker needs to have physical access to the Echo, in order to solder an SD card reader to the device. Although it’s not a problem that can be fixed with a software update, Amazon has also closed the vulnerability in the Echo units that it’s sold this year, so it only affects older models.

Get Data Sheet, Fortune’s technology newsletter.

However, as Barnes pointed out in an interview with Wired, physical access can be a real threat when Echoes are left in public or semi-public places. Some hotels plan to install them in their rooms, he noted.

“In that case, you don’t really control who has access to the devices,” he said in the interview. “The previous guest could have installed something, the cleaner, whoever.”