Hack Friday: Which? warns of flood of security-risk smart products sold on online marketplaces this Black Friday
Which? is urging consumers to be cautious when shopping for cheap electronics this Black Friday after an investigation from the consumer champion found hundreds of security and privacy-risk smart products for sale on popular online marketplaces.
Which? found more than 1,800 smart tech products available for sale, including smart doorbells, wireless cameras, alarms and tablets, on AliExpress (1,461), eBay (288) and Amazon Marketplace (90) that use apps with inadequate security protection that could leave users exposed to hackers or infringement of their data privacy.
Worryingly it is also difficult to trace the firms behind these white-label products. Which? has often found that they are based in Shenzhen or Hangzhou – two major electronics markets in China – and in most cases have limited clear contact details for consumers to report problems to and get vulnerabilities fixed.
Which? found 1,727 different products – including products that were unbranded, from little-known brands or clones of legitimate items – sold on online marketplaces and all operated via just four apps, Aiwit, CamHi, CloudEdge and Smart Life. Working with security experts, 6point6 and NCC Group, Which? found that all these apps had potential security issues that could make them easy prey for hackers or put users’ privacy at risk.
Based on reported figures and available data, Which? believes that hundreds of thousands of these devices have been sold and could be in use in homes.
Password security was a widespread problem across the apps. By enabling weak default or user-generated passwords these apps potentially put users at risk of hackers finding the exact location of their home and targeting other more valuable smart devices linked to their home broadband network. If exploited, it could even allow the hacker to view live footage on a smart doorbell or a wireless camera.
As well as weak passwords, other issues uncovered included the sending of unencrypted data transfer and, in the case of Smart Life, a vague privacy policy requiring clarification. While there are no laws currently mandating a certain level of security and privacy protection in smart products, some of the flaws Which? found would be made illegal under new legislation currently being planned by the UK government. Its Product Security and Telecommunications Infrastructure Bill is expected to be introduced to parliament in the coming months.
Particularly concerning to Which?’s researchers was how difficult it was to report vulnerabilities to the companies behind the apps. Apart from with Aiwit, Which? had to do extensive research to find the original app developer who could fix the problems it found.
A clear disclosure policy is going to be a key part of the government’s legislation, but out of the four apps, only the Smart Life one seemed to have one – and that was only after Which? eventually tracked down its actual developer Tuya, after a different developer with no web presence was listed by the app that Which? found was a Tuya subsidiary.
In its investigation Which? also found 112 out of support Android tablets for sale on AliExpress and eBay. Some of them had not received a security update for more than seven years – updates which are crucial for defending against hackers. This was particularly concerning as many of them are actively marketed for children.
Meanwhile a lack of information about update policies was a problem across the four apps Which? looked at.
A lot of the products Which? found are clones of legitimate products or even clones of already cloned products. The consumer champion, working with 6point6 and NCC Group, combined its in-depth testing and knowledge of generic and clone smart products with a method called web scraping. This involves taking key terms, such as the name of an app experts know is used by a lot of smart products, and then using machines to trawl the marketplaces for listings that mention this term.
Usually with smart tech, a company has a single app that they use with their products and maintains it accordingly. The difference with clone devices is that various different products from different manufacturers and sellers will use the same app. So, if that app has a vulnerability that is not fixed, all devices using it are also potentially vulnerable. Likewise, some apps have become so large that they are almost like operating systems. In that sense they could pose risks to consumers’ data privacy.
These products also appear to be selling at scale. The total reviews for products across all four apps found on Amazon was 37,129 reviews at an average 4.1 star rating, 15 of the products had Amazon’s Choice labels. Based on the data Which? has available, the devices found on AliExpress appeared to have sold more than 240,000 units collectively. Which? was unable to find sales data for eBay devices.
Which? is warning consumers to be cautious when shopping for bargains this Black Friday due to potential security and privacy risks with lots of cloned or unbranded smart products.
Smart products by established brands do tend to be more expensive. For example, some cheap lookalikes can sell for around a third of the price of a Ring smart doorbell. However, Which? believes that it is not worth consumers compromising their security or privacy by choosing a substandard product.
Which? is supportive of the government bringing forward legislation to make products without adequate security requirements illegal. The consumer champion is urging the government to act quickly, mandate minimum support periods so devices are supported for as long as possible, and clarify how it will tackle this issue on online marketplaces and with non-UK based manufacturers of security-risk products.
Kate Bevan, Which? Computing editor, said:
“Our investigation has uncovered concerning security flaws with smart products that have flooded online marketplaces and could put consumers at risk this Black Friday.
“Which? is warning consumers to be cautious when shopping for connected tech products. Make sure you have researched the product you’re thinking of buying and choose one that doesn’t play fast and loose with security.”
Notes to editors
-
Video available for use – A hacker shows Which? how easy it is to get into smart devices: https://www.youtube.com/watch?
v=zwKANw33rb4 -
Find out how long your tech will last with Which?’s free security tools: https://www.which.co.uk/news/
2021/10/why-you-need-to- consider-security-when-buying- a-smart-device/
Example product comparison:
Aiwit doorbell, £43 vs. Ring Video doorbell, £178
How to spot a dodgy smart product
-
Be wary of unknown or unbranded smart products. While we should not just automatically default to well-known and often expensive brands, it does matter which company has made the product you are considering. Which? has found thousands of products available on online marketplaces with no brand name at all. Not only do you have no idea who made the doorbell or camera, but it is possible the seller doesn’t know either.
-
Look at the product images and description. Run a search on the marketplace, such as ‘wireless cameras’. Try to spot products that look nearly identical. For example, most CloudEdge doorbells have a distinctive hood that’s easy to spot. Proceed with caution with any devices that look generic or common.
-
Always check the negative user reviews, not just the overall score. There is a big problem with fake reviews on online marketplaces. Fake customer reviews involve a company soliciting lots of positive reviews, either through established schemes or by offering incentives to people to give positive ratings to products they’ve bought. Always check the negative reviews, too. The one- and two-star reviews often cite problems with security – Which? has seen real cases of hacking reported in some of them – but also safety issues or general problems with functionality.
-
Check what app the smart product uses. If you see a smart product that you’re interested in, find out what mobile app it is using. You can do this on the product listing (type Ctrl+F and then ‘app’) or via research online. Once you have the app name, you can then search for it on Google Play or Apple’s App Store. These listings have information on who made the app.
Additional info
-
Which? also found in a search on eBay on a single day in October 2021 that there were 2,640 smart doorbells listed as ‘unbranded’, and 8,022 unbranded wireless cameras.
-
Usually with smart tech, a company has a single app that they use with their products and maintain it accordingly (eg, Nest app with Nest thermostats and cameras). The difference with clone devices is that various different products (it could be hundreds in some cases) from different manufacturers and sellers will use the same app. So, if that app has a vulnerability that is not fixed, all devices using it are also potentially vulnerable. Likewise, some apps have become so large that they are almost like operating systems. In that sense they could pose risks to consumers’ data privacy.
-
Software updates (or firmware updates when they are related to the hardware) are vital as they can improve products over time, but more crucially fix any problems or security vulnerabilities that occur. An unsupported product, such as the Android tablets listed here, is not instantly going to get hacked, but if it does develop a vulnerability, the manufacturer may not be willing or even able to fix it.
Rights of Reply
AliExpress
AliExpress said that they appreciated Which? bringing this to their attention and confirmed that they are looking into it, but did not provide further comment at this time.
Amazon
“Safety is important to Amazon and we want customers to shop with confidence on our stores. We have proactive measures in place to prevent suspicious or non-compliant products from being listed and we monitor the products sold in our stores for product safety concerns.”
eBay
“eBay encourages all members to take appropriate security precautions with any internet connected devices purchased on the marketplace, in the same way they would with their other connected devices. The items shared with us by Which? are permitted for sale on eBay and do not violate our policies. Our sellers must ensure their listings comply with any applicable laws, any listings on our platform that do not comply with UK regulations or that violate our policies will be removed with appropriate enforcement action taken against sellers. If the UK Government introduces new regulations in this area, sellers will of course have to comply with them.”
Aiwit
iOS: https://apps.apple.com/gb/app/
Android: https://play.google.com/store/
Which? contacted EKEN about the findings on its app but it did not respond.
CloudEdge
iOS: https://apps.apple.com/us/app/
Android: https://play.google.com/store/
Although the developer is listed in the above links as either Arenti Europe or Brian Borghardt, CloudEdge is actually developed by Meari Technologies. Which? also believes that Meari produces some of the white label hardware that is sold on by other brands. For example, this doorbell model:
Original: https://www.meari.com/bell-7s-
Retail versions: https://www.amazon.co.uk/gp/
Which? has contacted Meari about its security/privacy findings on CloudEdge but it did not respond by the time of publication.
Smart Life
iOS: https://apps.apple.com/gb/app/
Android: https://play.google.com/store/
The developer of the app is listed as Volcano Technology, but through research Which? found that this is a subsidiary of Tuya, a large IoT services provider. Tuya, which maintains the app, responded to Which? and fixed a password security issue in the app Which? found. Which? has no other security concerns about the app, but has raised questions about Tuya’s privacy policy and was in the process of clarifying these.
Tuya had not provided comment at the time of publication.
CamHi
iOS: https://apps.apple.com/us/app/
Android: https://play.google.com/store/
Most of the critical issues Which? reported about CamHi in June 2020 have now been fixed by the developer, and the app now enforces a password. Which? still has concerns about CamHi, however, and have put these again to the developer, HiChip, and its business partner, ieGeek.
Talks were ongoing at the time of publication. CamHi has agreed to introduce some fixes that should help improve things a little.
HiChip (maker of CamHi) said: “Thanks to the Which? team for letting us know the security risks. Many users don’t change the default password of the IP camera, so we have modified our CamHi and CamHi Pro apps so that users must change the password. And we will enforce a stronger password policy in the next app version.”
If you have a device that runs CamHi, make sure you change the default password and set a strong password to increase your security.
About Which?
Which? is the UK’s consumer champion, here to make life simpler, fairer and safer for everyone. Our research gets to the heart of consumer issues, our advice is impartial, and our rigorous product tests lead to expert recommendations. We’re the independent consumer voice that influences politicians and lawmakers, investigates, holds businesses to account and makes change happen. As an organisation we’re not for profit and all for making consumers more powerful.
The information in this press release is for editorial use by journalists and media outlets only. Any business seeking to reproduce information in this release should contact the Which? Endorsement Scheme team at endorsementscheme@which.co.uk.
Press Release