The hackable home: investigation exposes vulnerability of smart-home devices

A Which? investigation into the security of connected devices in the home has shown how hackers could access your home network and connected appliances in as little as four days.

Which?’s testing of smart devices has largely been positive, with innovative products and systems making daily life simpler and more enjoyable within the home. However, with so many new and different products entering the market, the consumer group is concerned that some appliances pose a risk to consumer security and privacy.

Which? has carried out a snapshot investigation to test whether popular smart gadgets and appliances in homes could stand up to a possible hack. It set up a home with a host of smart gadgets – from wireless cameras, to a smart padlock and a children’s Bluetooth toy – and hired a team of ethical security researchers, SureCloud, to hack it.

Some of the devices proved harder than others to infiltrate (such as the Amazon Echo, although people should be aware that voice purchasing is activated by default) but eight out of 15 appliances were found to have at least one security flaw. As part of the investigation, Which? found potential risks with the following:

  • Internet router – This is the gateway to all connected devices within the home. The Virgin Media Super Hub 2 router is set up with a simple password that many people don’t change and SureCloud was able to gain access to it in just a few days. In light of Which?’s investigation, Virgin is advising more than 800,000 customers in possession of the affected hubs to change their password immediately. Virgin Media broadband was already in the home and there could potentially be similar security issues with other broadband providers and their routers
  • Wireless CCTV – Some wireless cameras are easy to hack. A home CCTV camera system, branded Fredi Megapix, operates over the internet using a default administrator account without a password. This is a real privacy concern and Which? found thousands of similar cameras available for anyone to watch the live feed over the internet. Worse still, the hacker can even pan and tilt the cameras to monitor activity in the house.
  • Smart children’s toy – CloudPets is a stuffed toy that enables family and friends to send messages to a child via Bluetooth. Building on a recently published flaw, SureCloud hacked the toy and made it play its own voice messages.

When Which? testing identifies a significant vulnerability with a product, it contacts the manufacturer involved. It has done this with the manufacturers of the eight affected products as part of this investigation.

As a result, the majority have updated their software and security. In addition to Virgin informing 800,000 customers to update their password, it is also in the process of upgrading its customers to the more secure Super Hub 3.

Despite the popularity of these products and the benefits they bring, Which? believes that wider action is needed to close security loopholes so that the maximum benefits to consumers are realised. The industry must take the security of internet-enabled and smart products seriously, by addressing the basics such as ensuring devices require a unique password before use, using two-factor authentication, and issuing regular security updates for software.

Alex Neill, Which? Managing Director of Home Products and Services, said:

“There is no denying the huge benefits that smart-home gadgets and devices bring to our daily lives. However, as our investigation clearly shows, consumers should be aware that some of these appliances are vulnerable and offer little or no security.

“There are a number of steps people can take to better protect their home, but hackers are growing increasingly more sophisticated. Manufacturers need to ensure that any smart product sold is secure by design.”

Which? advice:

  1. Set strong passwords: Many smart devices come with generic default passwords that are easy for hackers to guess. Set a strong and unique password, ideally with a jumbled mix of letters, numbers and special characters.
  2. Update your software: Keeping software or firmware updated means that the latest security is installed on the device.
  3. Complete the set-up: All smart devices should be connected to a secure wi-fi network. This is because many use their own wi-fi during the set-up process which, if left unsecured, is an easy target for attackers located within range of the device.
  4. Location, location: Be mindful of where devices are located in the home. Those close to windows or behind thin doors can be more easily accessed from outside.

Notes to Editors

For more information on how to better protect your smart-home appliances, visit www.which.co.uk/smarthometips

  1. Which?’s hackable home: Which? set up a smarthome at the home of a Which? employee with a host of popular smart gadgets that can be found in houses across the UK. It hired ethical security researchers, SureCloud, to hack it. Alongside targeting the gadgets, SureCloud also ran surveillance on the homeowner to gather information that could be used to breach their security. They used techniques such as phishing – sending spoof emails and messages designed to trick someone into revealing personal details. The team then set about hacking the home and it took them just four days to do it.
  2. SureCloud: SureCloud is a cybersecurity testing and assurance services team that helps organisations secure their information assets, systems and data. For more detail, visit SureCloud’s website > https://www.surecloud.com/
  3. Video: Link to full video and CloudPets video HERE
  4. Which? advice to stay secure > www.which.co.uk/smarthometips
  5. Consumer rights advice for data protection and/if your data is lost > http://www.which.co.uk/consumer-rights/l/data-protection
  6. Virgin Media response: “The security of our network and of our customers is of paramount importance to us. We continually upgrade our systems and equipment to ensure that we meet all current industry standards. To the extent that technology allows this to be done, we regularly support our customers through advice, firmware and software updates and offer them the chance to upgrade to a Hub 3.0 which contains additional security provisions”
  7. Nokē Smart Padlock response: “Our second generation locks are shipped with new firmware that eliminates the vulnerability. We are rolling out the firmware update to owners of our first generation lock. If they have not yet received it, users can email us at support@noke.com and we can push the update right away.”
  8. Amazon (Echo): “To shop with Alexa, customers must ask Alexa to order a product and then confirm the purchase with a “yes” response to purchase via voice. If you asked Alexa to order something on accident, simply say “no” when asked to confirm. You can also manage your shopping settings in the Alexa app, such as turning off voice purchasing or requiring a confirmation code before every order. Additionally, orders placed with Alexa for physical products are eligible for free return.”
  9. Smarter: “Smarter takes product and customer security very seriously and prides itself on embedding state-of-the-art protective technologies into every layer of end-to-end ecosystem to ensure that every reasonable measure is taken to protect its customers’ products, data and credentials from unauthorised third-parties. Smarter’s security begins at the device including hardware encryption, multiple-layers of secure keys and challenge-response mechanisms, domain locking protocols and world-leading BlinkUp pairing technology, providing simple and secure out-of-band pairing.”
  10. TP-LINK HS100 SMART PLUG: “We will improve the app when it is released this month to add mutual authentication and session-based keys so potential hackers will not be able to dig into the content and take control. A firmware upgrade will also be released this year. The additional protection to the user’s account will include information privately known to the user. The Kasa app can be updated with these improvements in Google Play or via the App Store.”
  11. Which? didn’t receive a response from the manufacturers of either Fredi Megapix or CloudPets

 

Press Release