We use cookies to allow us and selected partners to improve your experience and our advertising. By continuing to browse you consent to our use of cookies. You can understand more and change your cookies preferences here.

Could your smart home be hacked?

Which? investigation reveals vulnerable smart and internet of things gadgets that could leave your home open to hackers

Could your smart home be hacked?

A Which? investigation has shown how hackers can gain access to a home network and various connected devices in a matter of days. Welcome to the hackable home.

No longer just tech-industry hype, smart gadgets are fast becoming household staples. It’s estimated that there will be a staggering 75.4bn connected devices in the world by 2025.

Smart home hubs – Amazon Echo, Google Home and more expertly tested

Hacking a real home

We set up a real home with a host of smart gadgets – from a CCTV camera system to a Bluetooth cuddly toy – and hired ethical security researchers SureCloud to hack it. Watch our video above to see the results.

Alongside a range of hacking techniques, SureCloud ran surveillance on the home and those who lived there to gather information that could be used to breach their digital security (all with their consent, of course).

Some of the devices proved harder to hack than others, but eight out of fifteen were found to have a security vulnerability, including:

Internet router – This is the gateway to all connected devices within the home. The Virgin Media Super Hub 2 router was already set up in our target home, and the owner hadn’t changed the default password on the sticker. SureCloud was able to gain access to it in just a few days. In light of our investigation, Virgin is advising more than 800,000 customers with Super Hub 2s to change their password. Find out more in our Super Hub 2 news story.

CCTV camera – With some wireless cameras, hackers don’t even need to try hard to gain access. We investigated a home CCTV camera system, branded Fredi Megapix, which operates over the public internet using a default administrator account without a password. Alongside the camera in our test house, we found thousands of similar cameras available, which could let anyone watch the live feed over the internet. We were unable to contact Fredi Megapix to share our findings.

Smart children’s toy – CloudPets are stuffed toys that enable family and friends to send messages to a child. Building on an already-published flaw, the SureCloud team hacked the toy and made it play their voice messages instead. As you can see in the video report, we used a hacked CloudPet cat to order cat food from an Amazon Echo. This was a bit of fun but, while we didn’t test this specifically in our investigation, we’re concerned that anyone could use the same method to ‘speak’ to children from outside the home. Find out more in our CloudPets news story.

Make it ‘secure by design’

Which? tests many smart products for how well they protect your online privacy and security. As we have done in this investigation, when we find a significant vulnerability we contact the manufacturer of the affected product or service to address it.

However, we believe that more needs to be done. The industry must take the security of internet-enabled and smart products seriously by incorporating it as a top priority from the outset.

For more information on how to better protect your smart home devices, and advice on data privacy, head to our five ways to protect your smart home from hackers guide.

Expert view – Melissa Massey, Which? Consumer Rights

If your data is lost and this causes you financial damage or distress, you may be able to make a claim for compensation from the organisation that lost it.

Organisations are bound by the Data Protection Act 1998 to keep your data secure, which means they must take measures to prevent unauthorised or unlawful processing of your personal data.

They must also protect against accidental loss or destruction of, or damage to, your personal data. You can find more information, including how to make a compensation claim, in our data loss guide.

Back to top
Back to top