Echo Hub for $180: The Echo Hub isn’t exactly a smart display. It lacks powerful speaker capabilities and doesn’t have a camera for calls or Amazon’s Drop-In video call feature. Instead, it focuses entirely on being a smart home dashboard with built-in Alexa, plus features like widgets and the photo frame. I think it takes the best, most easily used features of a smart display and cuts out the rest. But if you want a good speaker, don’t choose this one.
Echo Show 5 (3rd Gen, 2023) for $90: The smaller and cheaper third-gen Echo Show 5 has a 5.5-inch screen that works best on a desk or a bedside table. We think it’s a bit too small for the kitchen or living room, but that depends on how you plan to use it.
Echo Show 15 for $300: This is the largest of them all, with a 15.6-inch display, and it has customizable widgets so you can have smart-home device controls and calendar reminders available whenever. It’s made to be mounted on your wall like a TV (a stand is sold separately), and the Show 15 pairs with a Fire TV remote (you can use the app) to use the streaming features. With the new Alexa+ I’ve found myself liking it a lot more, and it’s much less distracting than the rotating slideshows you get on smaller Echo Shows. It’s a splurge, though, and I still wish the streaming capabilities were better.
Google Nest Hub for $100: Google’s second-gen Nest Hub is a great option if you don’t need a camera and don’t mind a smaller 7-inch screen. It has a wake-up alarm that emulates the rising sun for gentler mornings, though it’s not bright enough to qualify as a sunrise alarm clock. It also has sleep-tracking tech to track your sleep quality, though the quality of the results isn’t great. It also supports gestures—like playing or pausing a video with a hand movement—by using unique radar tech.
Google Pixel Tablet for $499: This tablet doubles as a smart speaker when placed on its speaker dock. It works well, but it’s not currently slated to get Google’s new assistant, Gemini for Home. If that changes, we’ll go back to recommending it. But we’re not sure it will: availability has been limited for the speaker base, and could point to this device being discontinued altogether.
Smart Displays to Skip
We don’t like every smart display. Here are the ones we’re skipping after trying them out.
Echo Show 10 (3rd Gen, 2021) for $250: This smart display is situated on top of a large cylindrical speaker, which makes it sound great. The screen physically swivels to follow you around the room as you use it, keeping you in frame while you video chat or keeping your streamed workout video in your line of sight as you move about. Because the screen moves around so much, you may have trouble positioning it in tighter spaces—especially in corners. It’s a unique model, and is still out of stock like it was this summer. I suspect the upcoming new Echo Show 11 ($220) might replace it, since it has a similar design (but leaves out the movement gimmick).
Third-Party Google Displays: Google is no longer updating software for some of the third-party smart displays we used to recommend in this guide. If you have one, it will still work, but some features will likely suffer or disappear entirely as time passes. This seems to be the fate of most third-party Google smart displays, which is why we don’t recommend them anymore. Google did say they’ll be working with partners to bring Gemini for Home to third-party devices, so we’ll see how that pans out.
What About Alexa+ and the New Echo Shows?
Amazon has been randomly rolling out its new version of Alexa, named Alexa+, in early access since the spring. This second generation of the Alexa voice assistant is more conversational, able to execute complex tasks and learn new information, and can be much more personalized. That’ll be due to its being powered by generative AI. Check out our hands-on with early access Alexa+ for more more about our experience.
Unlike the current Alexa, once it’s fully available, it’ll cost $20 a month or be free if you have an Amazon Prime membership. This is a big jump from the free assistant, but you can keep the current Alexa for free if you don’t wish for another subscription or have an Amazon Prime membership. Right now, it’s also only available in early access for Echo Show devices. You can sign up here for the wait list.
Alexa+ will be immediately available on its newest devices coming this fall, however. There will be two new smart displays, the Echo Show 8 (4th Gen) and Echo Show 11, and two new smart speakers, the Echo Dot Max and Echo Studio (2nd Gen). We’re curious how the new models will compare to our current favorites, and we will update this guide once we test them.
It’s also important to note that Alexa+ has forced a privacy change for all Echo devices. Echo devices used to be able to process voice recordings locally on your device, but the “Do Not Send Voice Recordings” privacy feature was killed in March. Now all voice recordings will be sent to Amazon to be processed in order to make Alexa+ function, but even if you don’t end up using Alexa+, the feature is gone.
What About Gemini for Home and Google’s Smart Displays?
Amazon isn’t the only one rolling out a new version of its assistant. Gemini for Home is Google’s similarly AI-powered smart assistant that will replace Google Assistant in just about all of its available speakers. Unlike Amazon’s new assistant, Gemini for Home will be free, but Google is changing its Nest Aware subscription to become a subscription that’s both for video storage and for more powerful assistant features.
Google is also rolling out a new speaker in the spring, but no new smart display is slated yet. The new assistant will come to all of Google’s existing lineup except for the Google Pixel Tablet, which we no longer recommend since it’s not currently planned to get support with the new assistant. Google did say they plan to work with third-party partners to bring Gemini for Home to more devices, so we might see new third-party displays that we can recommend again. We’ll update this guide as we learn more, but for now, Google’s Nest Hub Max and Nest Hub are the best smart displays to purchase if you want access to Google’s new assistant.
FAQs
Do You Need a Smart Display?
Smart displays are helpful, acting as hubs for your smart home devices, walking you through recipes while you chop away in the kitchen, and in some cases allowing you to video chat hands-free too. But we’re not sure how long they’ll be worth it, or even exist, in their current form. Companies have been experimenting and doing away with smart displays again and again; Meta discontinued its Portal devices, Google might be discontinuing the Pixel Tablet we favored, and Apple still has yet to even make a smart display.
Amazon has continued to make new smart displays, even after losing $10 billion in 2022 thanks to failures around the Alexa voice assistant. The Alexa team was reportedly hit hard by layoffs in 2022 and 2023, but new smart displays continued to come out since then and more are slated to come out later this fall: the Echo Show 8 (4th Gen) and Echo Show 11.
So far, Apple has yet to launch its own dedicated smart display. Apple iPhones have a StandBy Mode included in iOS that activates when an iPhone is on its side and charging, using stands like this one from Twelve South. I had hoped this feature would feel similar to a smart display, but StandBy Mode is limited to customizable clock faces, showing your photos, and having your texts pop up in large text that fills the screen. It doesn’t scratch the itch of all the features you get in a smart display and instead feels like a fancy alarm clock.
What About Digital Calendars?
There’s a growing market of digital calendars that look a bit like smart displays, but instead of being able to respond to voice commands and stream a video call, these digital screens are designed to have one shared calendar for the entire family to see and view. Skylight, a maker of one of our favorite digital photo frames, makes the Skylight Calendar (starting at $170) that comes in 10 inches, 15 inches, and 27 inches, while I tested the Hearth Display ($699) that comes exclusively in a 27-inch size. Cozyla also makes the Cozyla Calendar+ that starts at 15 inches but goes all the way up to a 36-inch screen.
There are some differences in these calendars, but you’ll find a similar roadblock to them: memberships. Hearth Display encourages using the display to create routines with your family, specifically kids, though you’ll want a kid older than my 2-year-old to use it properly (though the Hearth does have icons designed for kids who can’t read yet), and to sign up for the Family Membership. The Skylight touts a photo screensaver and meal planning tools if you sign up for the monthly Plus Plan.
You could find these devices are for you, but it’s either another device for one parent to manage or something you’ll have to teach your entire family to make into a habit to really get the most out of. You’re likely better off just teaching everyone in your family to share their Google Calendar.
Setup was relatively quick and painless. You just have to unbox four speakers, a soundbar, and a subwoofer, attach their power cables, and plug in everything. Pairing happens through the LG ThinQ app, which allows you to set up the Sound Suite system and tune it to exactly where you’re sitting in the room using your cell phone’s microphone.
You can also set up each speaker to play music and group it with any other LG smart speakers you might have around your home, like the more affordable $250 M5 bookshelf speaker, to create a whole-home system.
Once all the components were synced, I plugged the soundbar into the C5 OLED via HDMI, and was able to easily control everything via the TV remote’s volume and mute buttons. More in-depth settings had to happen in the app, but if you’re anything like me, this won’t become a regular chore. You’ll set it how you like it once and move on. While the pairing functionality with the LG TV was nice, it’s not required–the eARC port lets the Sound Suite work perfectly with any modern TV.
The bar itself runs the show, with a black-and-white display on the far left that shows your mode and volume, among other settings. In the center of the bar and below each speaker, an LED light strip that also shows you the volume when you change it, which is a nice touch.
Getting Musical
Photograph: Parker Hall
The sound of the LG Sound Suite is full and cinematic, thanks in no small part to the extra dedicated speakers. Most competitors lack front left and right, simply opting to use the soundbar for these channels. As such, the width and breadth of the soundstage were bigger than most competitors I’ve tried, with only Samsung’s flagship HW-Q990F as a real contender. Even the Samsung lacked the lower-frequency audio quality that these LG speakers provide.
On 27 April, the government backed security certification scheme, Cyber Essentials v3.3, takes effect and multi-factor authentication (MFA) becomes a pass-or-fail requirement for the first time.
If a cloud service your organisation uses offers MFA and you have not enabled it, you fail. No discretion, no partial credit, no route to remediate inside the assessment cycle.
This is the right call. I want to say that clearly, because what follows is a problem with the implementation, not the policy. MFA is the single most effective control against credential-based attacks, and the scheme has needed to stop tolerating its absence for a long time. The National Cyber Security Centre (NCSC), part of GCHQ, which developed Cyber Essentials and certification company, IASME have got this decision right.
But in the assessments we have conducted this year, I have seen two organisations that will hit a wall on 27 April, and I do not think they are unusual.
Train company could not deploy MFA
The first is a train operating company in the South East. Station operations rooms run on shared terminals where staff rotate through shifts in time-critical conditions. A transport union raised formal concerns that MFA would introduce delays at the keyboard that could affect train operations and, in their view, the safety of train movements.
The company listened and chose not to enable MFA in those environments. Under v3.2 they passed, with the relevant questions marked as non-compliant but not fatal. Under Cyber Essentials v3.3 they will fail.
Charity run by volunteers faces MFA hurdle
The second is a nationally known charity with hundreds of high street shops. The shops are staffed largely by volunteers many of whom work a few hours a week, and staff turnover is high.
The cost and management overhead of enrolling every volunteer onto MFA, using personal phones they may not have and authenticator apps they would not keep, was considered prohibitive. So MFA was never switched on. Same story: they passed under v3.2. Under v3.3 they fail.
Neither of these organisations is ignoring security. Both made considered decisions based on how their people actually work. The problem is not that they do not want to comply. It is that the standard toolkit of MFA methods, including SMS codes, authenticator apps on personal phones, and push notifications, does not fit a six-person shared terminal that has to be available in seconds, or a volunteer workforce that changes every week.
FIDO2 could offer solutions
The frustrating part is that there is a solution, and it is already proven in healthcare, manufacturing and retail. FIDO2 authentication delivered through NFC badge-taps lets a staff member authenticate in under two seconds: tap a badge, enter a short PIN, session opens.
It satisfies the MFA requirement by combining possession of the badge with knowledge of the PIN. It is faster than typing a password. Crucially, it is compliant, because each badge is enrolled as that individual’s unique FIDO2 credential, so the Cyber Essentials requirement for unique user accounts is met. Shared keys or shared PINs would not work. Individual badges do.
Need for better guidance
v3.3 explicitly recognises FIDO2 authenticators and passkeys as valid MFA methods. The compliance path is clear. What is missing is anyone telling the organisations most affected that this path exists.
That is the gap that must close. The NCSC and IASME have made the right policy decision; the scheme would be weaker without it.
But implementation guidance for shared-terminal, shift-based and high-turnover environments is thin, and these organisations are running out of time to find their way through it. Many of them hold Cyber Essentials because it is required for government contracts or in their supply chains; losing certification has a direct commercial cost.
The answer is not to soften the requirement. The answer is to make sure no one fails for lack of information about how to meet it.
Jonathan Krause is Founder and Managing Director of Forensic Control
Over the four-day Easter weekend of 18 to 21 April 2025, customers of British high street fixture Marks & Spencer (M&S) took to social media in droves to lament an apparent outage that was causing disruption to in-store contactless payments.
At first glance, the disruption appeared to be the result of a run-of-the-mill IT glitch that happens from time to time, but by Tuesday 22 April, it was starting to become apparent that something far more sinister was going on. M&S shut down multiple public-facing services, such as online shopping and in-store click and collect, and CEO Stuart Machin made the rounds of the morning news studios to confirm that the retailer had been hit by a cyber attack.
The incident was the first in a series of damaging attacks against UK retailers – all orchestrated in similar fashion via the systems of an unwitting third-party tech supplier – to come to light.
As the likes of Co-op and even Harrods were drawn in, Scattered Spider – the English-speaking hacking collective behind the attack – and associated groups such as Lapsus$ and ShinyHunters became household names.
Over the summer of 2025, the teen hackers turned their attention to other targets, hitting organisations operating in multiple verticals all over the world. The cyber crime spree arguably hit its zenith – or nadir depending on your point of view – with the August 2025 attack on carmaker Jaguar Land Rover (JLR), the repercussions of which continue to reverberate around the UK economy nearly eight months on.
But the chaos kicked off at M&S, with shelves left empty as store managers struggled with downed ordering systems, and homes across the nation going without upmarket picky teas, pig-shaped gummy sweets and caterpillar-themed cakes.
Third-party vulnerabilities: it started with a phone call
“A year on from the M&S attack, the numbers tell a stark story. Retail cyber attacks grew around 34% last year, and the trajectory since then suggests that figure has only climbed further,” says Check Point UK and Ireland head of enterprise, Charlotte Wilson.
“What the incident made clear is how the nature of the attack itself should be understood. The initial entry point at M&S, and at others like Jaguar Land Rover … was a phone call. Someone convinced a helpdesk operative to hand over system access by impersonating an employee. That was the door in, and it opened onto hundreds of millions of pounds of damage. The most expensive cyber attack in British retail history began with a conversation.”
Muhammad Yahya Patel, Huntress virtual chief information security officer (vCISO) and EMEA cyber security adviser, says it is precisely this relatively unsophisticated origin story that marks the M&S breach as a case study that every security team – whether working in retail or not – should have printed out and stuck on the wall.
“The attackers didn’t find a zero-day. They didn’t bypass a next-gen firewall. They picked up the phone, pretended to be an M&S employee and asked a third-party service desk to reset a password. That was it,” says Patel.
“Everything that followed, the Active Directory database exfiltration, the credential cracking, the ransomware deployment across VMware hosts – all of it flowed from lack of service desk processes.
“Perhaps the most sobering detail [is] the four individuals arrested by the NCA in July were aged 17 to 20. These weren’t nation-state actors with deep pockets and government backing. They were young, English speaking and highly effective at finding the gap between an organisation’s technical controls, people and processes.”
The lasting effect on boardroom conversations
But significantly, says Check Point’s Wilson, the M&S attack seems to have served as a much-needed alarm call for the retail industry, and many of her customers have started scrutinising their supply chains as a result.
“The attack exposed a hard truth: your security posture is only as strong as the weakest link in your vendor ecosystem, and for many retailers, that link had never been seriously stress-tested. The supply chain conversations happening in boardrooms today simply weren’t happening 18 months ago,” she says.
“Cyber risk is now seen as a board-level issue in a way it simply wasn’t before. That cultural shift may prove to be the attack’s most important legacy.”
Dominic Mortimer, who leads the red team at Bulletproof from WorkNest, agrees that security leaders seem to be more alert to the dangers of social engineering.
“The M&S breach accounted for a massive and direct uptick in organisations wanting to include similar breach scenarios in their tests,” Mortimer tells Computer Weekly. “I think like 80% of the latest red teams we’ve done following that breach announcement have all included help desk [or] vishing simulation scenarios to ensure the organisation’s resilience and defences extend to these third-party areas.
“It very much shone a light on an area that had previously been neglected by organisations and many reconsidered or approached with greater scrutiny their reliance on outsourced third-party entities. So, it’s very much become a warning tale that organisations have taken to heart, which is a massive positive despite the bad times had by M&S.”
Post-breach lessons
This said, cyber security in retail remains an uphill battle, and Wilson highlights some structural factors that still make shops harder to protect than, for example, financial services companies, or business-to-business publishing houses.
These factors include – but are not limited to – more public-facing contact points that lead to significantly higher volumes of phishing attempts, frequent frontline staff turnover and historically lower average security maturity. This all adds up to a threat environment that is hard to harden. Furthermore, Wilson adds, retailers operate on such tight margins that cyber security faces chronic underinvestment
It is perhaps not much of a surprise then that Check Point’s most recent cyber attack statistics for March 2025 reveal that the consumer goods and services sector was one of the most heavily targeted in the UK.
Huntress’ Patel says he is now seeing a wave of multi-channel approaches by hackers using email, phone calls, SMS and even Microsoft Teams to build trust with employees before delivering the killer blow. This, he says, makes them hard to stop with any single method of control.
“It requires a culture of verification and education, not just a stack of tools,” he says. “The organisations that come out of this period strongest won’t necessarily be the ones who spent the most. They’ll be the ones who were honest about where their real gaps were and closed them.
“At Huntress, we continuously see attackers inside business as we step in to stop them in their tracks. We are witnessing a professionalised scaling of the identity theft ecosystem. Adversarial efficiency is at an all time high. By transforming unauthorised access into reliable, long-term footholds, attackers are treating networks like a marketplace.
Our collective ability to recognise and resist that kind of secondary exploitation simply hasn’t improved. The attackers know it, and they’re counting on it Charlotte Wilson, Check Point
“Organisations must pivot their strategy if you are only watching the ‘break-in’, you are missing the breach. The priority must shift to rigorous, post-authentication visibility and anomaly detection,” he says.
Wilson reflects that the M&S incident seems to have prompted the government to start to act with more urgency. She notes the National Cyber Security Centre (NCSC), in its most recent annual report, says it dealt with 204 “nationally significant” cyber attacks from September 2024 to September 2025, more than doubling the previous record of 89. She also points out the progress made on the Cyber Security and Resilience Bill (CSBR), and Westminster’s Cyber Action Plan and proposed £210m centralised cyber unit.
“We are finally starting to see government not just understand but actively communicate the societal and economic cost of cyber threats. That is progress,” she says. “What hasn’t changed, though, is individual behaviour. Consumers going about their daily lives aren’t taking meaningfully more care with their personal data.
“And there’s a chapter of this story that hasn’t been told nearly loudly enough: the wave of class-action scams that followed the breaches. They’re still out there on social media: deepfake videos asking whether you were affected, whether you might be entitled to compensation, harvesting the details of the very people who were already victims once.
“The original breach made the headlines, but the scams that fed on it didn’t. And from a societal perspective, our collective ability to recognise and resist that kind of secondary exploitation simply hasn’t improved. The attackers know it, and they’re counting on it,” she warns.
Entertainment1 week ago
Tech1 week ago
Tech1 week ago
Fashion1 week ago
Tech1 week ago
Politics6 days ago
Politics6 days ago