Poor security on popular smart devices which are likely no longer supported by tech firms including Amazon and Google can be exploited by hackers and used to crash websites, steal data, snoop on homeowners, or even for intimidation by domestic abusers, Which? research has found.
The consumer champion found that, from a doorbell to a wi-fi router and a smart speaker, ethical hackers easily ripped through the security in all of the devices, which in most cases no longer receive vital software security updates. This opened up a range of malicious opportunities, including surveillance, data theft, and more.
Some of these products had been abandoned by the manufacturer within five years since launch. Which? is calling on the government to set out minimum periods of time smart products must receive vital security support for, which would make smart products last longer as manufacturers would fix vulnerabilities with them over a longer period of time.
Not only do smart products with poor security create risks to individual consumers but they also pose a threat to the wider economy. Insecure devices can be recruited into botnets, digital armies used to attack major businesses and put important online services at risk. In 2016, the Mirai devices botnet attack temporarily took down the digital infrastructure running major websites including Amazon, Netflix and Twitter.
In its investigation, Which? purchased eight products from recognisable brands and set them all up in a simulated home before inviting ethical hackers to attack them. These products were selected because they are likely to be sitting in the homes of thousands of consumers. Yet all of the products had vulnerabilities that could leave users exposed to cybercriminals. Which? believes that the majority were no longer supported by the manufacturers.
A domestic abuse survivor has also shared her experience of being tracked and controlled by an ex-partner who managed to exploit weak security on devices including her wi-fi router, security camera and smart speaker devices. It is an example of what is known as ‘tech abuse’ and Refuge, a domestic abuse charity, saw on average a 97 per cent increase in complex tech cases in the 12 months after the start of the coronavirus pandemic, compared to pre-pandemic levels.
The ethical hackers in Which?’s investigation looked at a first generation Amazon Echo smart speaker, believed by Which? to have lost security support in autumn 2021. Using a pre-existing vulnerability, researchers were able to exploit a physical attack giving remote control over the device. From here, an attacker could steal user data and even stream the live microphone, all without the user knowing.
A Samsung Galaxy S8 Android smartphone, which stopped being supported with security updates in April 2021, was easily infected with malware which could lead to data theft, tracking and spam adverts. Researchers infected it with Flubot malware, disguised as a DHL delivery text, that within 10 seconds leads to the phone owner’s data, which could include banking and financial information, credit card details and passwords from SMS messages, being sent all over the internet. The attack would have been better blocked or detected by a device that was still receiving security updates.
The hackers made light work of compromising the unsupported Virgin Media Super Hub 2, and discovering a way to retrieve password information. From here, they could access people’s wi-fi, monitor what they were surfing and mount attacks on other connected devices. Which? first highlighted issues with this device back in 2017.
The Liv Cam baby monitor stopped being sold by popular baby products brand, Summer Infant, in early 2020 but it can still be found on second-hand online marketplaces. The app was last updated in September 2016 and Which?’s researchers were able to retrieve the camera’s password and access the video and the audio feed. This product uses an open wi-fi network, meaning it would be possible for a neighbour to snoop on the baby monitor, or even talk to the child.
On a Google Nest Hello video doorbell, hackers were able to spam the device with requests so that it was knocked offline. An attacker could use this to stop the user’s doorbell from recording if they want to approach the owner’s home. Which? believes this model is no longer being supported with software security updates, but has asked Google to confirm.
A Philips TV, which is supposed to still be supported with updates, could be hacked using an easily guessable default password. This means anyone within range could connect to the TV to access information on the user or could even put an image on the screen pretending to be from Netflix and pointing to a phishing URL where the homeowner is encouraged to re-enter their account or payment details.
Which? found minor issues with an HP Deskjet inkjet printer, but much more serious problems with a Wemo smart plug, both of which are believed to still be receiving updates.
In total, Which? found 37 vulnerabilities across the eight test devices, including 12 rated as high risk and one rated as critical. The majority of the vulnerabilities were already in the public domain, so if Which?’s ethical hackers can easily discover them, so can malicious attackers.
On the surface the threats from some of these devices being compromised might seem less obvious but they could all potentially be used as part of major botnet attacks which can be launched to bring down critical infrastructure.
The main reason a lot of the products looked at have vulnerabilities is because they are no longer receiving vital security updates from the manufacturers.
The government’s Product Security and Telecommunications Infrastructure (PSTI) Bill is currently making its way through parliament. Among various security requirements for smart products, companies will have to be transparent about how long they will support smart products when consumers buy from them.
Which? is calling for assurances that products will be clearly labelled with exactly how long they will last, rather than vague terms like ‘up to’ five years of support, or ‘lifetime updates’.
The consumer champion also wants the government to introduce mandatory minimum periods for how long different types of smart products must be supported. This should be different depending on the device – for example, a fridge should be supported for much longer than a smartphone – and there should be stiff penalties for companies that fall short of standards.
Rocio Concha, Which? Director of Policy and Advocacy, said:
“Our latest investigation highlights the real-life dangers posed by smart products from some of the biggest tech brands that are no longer adequately protected from cybercriminals. These weaknesses can lead to significant economic damage – but it is chilling to think that they can also be exploited by domestic abusers.
“The Product Security and Telecommunications Infrastructure Bill (PSTI) is a step in the right direction. However, the government needs to ensure manufacturers and sellers are clear about exactly how long products will receive security updates – and they should go even further by introducing mandatory minimum periods for how long different types of smart products must be supported.”
– ENDS –
Louise* looked in horror when her ex-partner turned up unexpectedly when she and her children were out at the shops. She had not mentioned to anyone about being there. There was no obvious way he could have known. That was when she knew he had hacked her devices.
Louise and her ex-partner were together for a number of years, but the abuse began after she became pregnant. He would put her down and control her. After she fled with the children with the help of a domestic abuse charity, she realised how far he had gone to control her through technology.
She believes that he had placed a tracker on her car, hacked her wi-fi router in order to monitor her online activity and even worked out a way to use two smart speaker devices in her home to snoop on private conversations. He had been using a supposedly broken security camera over the rear entrance as a way to watch her coming and going.
He had locked Louise out of her devices and accounts. After she changed her mobile phone number, the perpetrator was given access to it without her consent. Her partner was no master hacker – he had taught himself how to compromise her devices and accounts.
Jessica Eagelton, senior policy and public affairs officer at Refuge, said that Louise’s case is called ‘tech abuse’ – domestic abuse via technology. Refuge saw an average 97 per cent increase in tech abuse cases in the 12 months after the pandemic began in spring 2020. Tech abusers often target social media and online accounts, but they are increasingly using smart devices too. Smart baby monitors can be hacked into and used to watch and talk to children; phones and cars are used for location tracking. Even smart thermostats can give an abuser control over someone’s heating.
Refuge helps survivors like Louise use tech more safely. Jessica told Which? it is important for people to keep their wits about them with smart devices. Louise added: ‘I didn’t realise there was so much going on until it was too late. The longer I was in it, the more of myself I lost.’
*Name has been changed
Notes to editors
Available for use from Wednesday 1st June – Which?’s podcast ‘Inside the Hackable House of Horrors’. A full embed code can be found using the ‘share’ button: https://player.captivate.fm/
Video (from November 2021) available for use – A hacker shows Which? how easy it is to get into smart devices: https://www.youtube.com/watch?
Advice for consumers with older devices
Run a tech audit
First, make sure you review all the smart devices you have connected at home. When did you buy them? Are they still on sale? Check whether they have recently been updated – either check the app, with the manufacturer, or visit which.co.uk/device-support.
Take security measures
For all still supported devices, make sure they are updated to the latest software. If a password is used, ensure it’s a strong one that you set yourself. If you can add on two-factor authentication, make sure you do.
If a device you own is no longer supported, it’s best to upgrade. It will be annoying to ditch a product that is still in working order, but it’s just not worth taking the risk of it being exploited by a malicious hacker or scammer.
If you have a device that’s less than six years old and no longer supported, you could try to argue that you deserve a refund or replacement. Currently, security is not well defined in law, but try contacting the retailer to see if you can make the case that your product is no longer fit for purpose or of satisfactory quality.
Rights of reply
“We value the work Which? is doing to raise awareness around printer security and industry-wide design challenges. To protect against continually evolving security risks, HP recommends customers set strong, unique passwords and use auto firmware updates to best secure their devices. HP is committed to advancing our existing and future products to be the most secure in the industry.”
Which? has shared its findings with Amazon, Google, Philips and Wemo, but none had supplied a comment by the time of publication. Which? remains in ongoing dialogue with the companies.
Google says it has fixed the issue with the Nest, but Which? has not yet verified this.
Which? did not contact Samsung and Summer Infant for comment as their devices are out of the official support window.
Any Virgin customers still using the Super Hub 2 should request an upgrade. Virgin has told Which? in the past that you can request a new router for free through its app. Or they could contact customer services.
Which? is the UK’s consumer champion, here to make life simpler, fairer and safer for everyone. Our research gets to the heart of consumer issues, our advice is impartial, and our rigorous product tests lead to expert recommendations. We’re the independent consumer voice that influences politicians and lawmakers, investigates, holds businesses to account and makes change happen. As an organisation we’re not for profit and all for making consumers more powerful.
The information in this press release is for editorial use by journalists and media outlets only. Any business seeking to reproduce information in this release should contact the Which? Endorsement Scheme team at firstname.lastname@example.org.