Get all your news in one place.
100’s of premium titles.
One app.
Start reading
Wales Online
Wales Online
National
Jonathan Chadwick & Jamie Barwick

Which? finds alarming number of security flaws in smart home devices

An investigation has revealed how smart home devices such as the Amazon Echo can be hacked and used to crash websites, steal data and snoop on users. Consumer group Which? found a staggering 37 vulnerabilities across eight test devices, including 12 rated as high right and one as critical, reports the Mail Online.

Examples include the first generation Amazon Echo smart speaker, released in 2014, and a Virgin Media internet router from 2017, with both leaving users exposed to cybercriminals. Which? found that some of the vital security updates could not be installed due to the age of the product.

"Our latest investigation highlights the real-life dangers posed by smart products from some of the biggest tech brands that are no longer adequately protected from cybercriminals," said Rocio Concha, Which? director of policy and advocacy. "These weaknesses can lead to significant economic damage, but it is chilling to think that they can also be exploited by domestic abusers."

Read more: Where to get 6p pints - pub chain offering jubilee discount today only

Domestic abuse survivors can also be tracked and controlled by ex-partners who exploit weak security on devices including Wi-Fi routers and security cameras. For its investigation, Which? purchased eight products from different brands and set them all up in a simulated home before inviting 'ethical hackers' to attack them.

Ethical hackers penetrate a computer systems or networks on behalf of its owners, and with their permission, often for the purposes of research. As well as the first generation Amazon Echo and the Google doorbell, the list included the Samsung Galaxy S8 Android smartphone, the Wemo smart plug and the Liv Cam baby monitor.

Samsung's Galaxy S8 Android smartphone was easily infected with malware (Samsung)

Which? selected these products because they are likely to be sitting in the homes of thousands of consumers, even though they are not newly-released. Some of these products had been abandoned by the manufacturer within five years since their launch. For example, the first generation Amazon Echo smart speaker lost security support in autumn 2021, Which? said.

In response, an Amazon spokesperson said: "Privacy and security are foundational to how we design and deliver devices, features, and experiences. We released a fix for this issue for 2nd generation Echo devices in 2017, and all newer Echo devices are not impacted by this issue."

On a Google Nest Hello video doorbell, hackers were able to spam the device with requests, so that it was knocked offline. An attacker could use this to stop the user's doorbell from recording if they want to approach the owner's home.

Google said that this issue with the Google Nest Hello has been resolved. According to Google's website, this device is being supported by security updates until beyond 2023, which is five years after it was released.

Samsung's Galaxy S8 Android smartphone, which stopped being supported with security updates in April 2021, was easily infected with malware, which could lead to data theft, tracking and spam adverts. Researchers infected it with Flubot malware, disguised as a DHL delivery text, that within 10 seconds leads to access to the phone owner's data.

Ethical hackers could also compromise the unsupported Virgin Media Super Hub 2 router, already found by Which? to be at risk back in 2017. Gaining control of the device allows criminals to access people's Wi-Fi, monitor what websites they were visiting and mount attacks on other connected devices. Any Virgin customers still using the Super Hub 2 should request a new router for free through Virgin's app or they can contact customer services.

Hackers were able to spam the Google Nest Hello video doorbell so that it was knocked offline (Google)

The Liv Cam baby monitor stopped being sold by popular baby products brand, Summer Infant, in early 2020, but it can still be found on second-hand online marketplaces. The monitor partners with an app that was last updated in September 2016.

Which? researchers were able to retrieve the camera's password and access the video and the audio feed. This product uses an open Wi-Fi network, meaning it would be possible for a neighbour to snoop on the baby monitor, or even talk to the child.

A Philips TV, which is supposed to still be supported with updates, could be hacked using an easily guessable default password. Anyone within range could connect to the TV to access information on the user or could even put an image on the screen pretending to be from Netflix.

Which? found minor issues with an HP Deskjet inkjet printer, but much more serious problems with a Wemo smart plug, both of which are believed to still be receiving updates.

Which? has shared its findings with Philips and Wemo, but neither had supplied a comment by the time of publication. The consumer group is hopeful that the government’s Product Security and Telecommunications Infrastructure (PSTI) Bill, now making its way through parliament, will make firms state clearly hoe long they will support smart products.

Which? is calling for assurances that products will be clearly labelled with exactly how long they will last, rather than vague terms like "up to" five years of support, or "lifetime updates". The consumer champion also wants the government to introduce mandatory minimum periods for how long different types of smart products must be supported, which will have to differ depending on the device.

For more stories from where you live, visit InYourArea

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.