A home filled with smart devices could be exposed to more than 12,000 hacking or unknown scanning attacks from across the world in a single week, a new Which? investigation has found.
We created a fake smart home and set up a range of real consumer devices, from televisions to thermostats to smart security systems and even a smart kettle – and hooked it up to the internet.
What happened next was a deluge of attempts by cybercriminals and other unknown actors to break into our devices, at one stage reaching 14 hacking attempts every single hour.
While most products were able fend off the assault, a wireless camera bought from Amazon was hacked and a stranger used it to try and spy on our home. Read on for the full report.
Smart home devices – we put every device we test through a thorough security exam, to make sure your data stays safe.
Over ten thousand hacking attempts in just a week
We set up our test home in collaboration with NCC Group and IoT malware specialists, the Global Cyber Alliance (GCA), and the scale of scanning and hacking activity against the devices was breathtaking.
The lab started off slowly in May 2021 – in our first week of testing we saw 1,017 unique scans or hacking attempts coming from all around the world, with at least 66 of these being for malicious purposes. However, this built into June and during the busiest week of testing we saw 12,807 unique scans/attack attempts against the home devices.
In that week alone there were 2,435 specific attempts to maliciously log into the devices with a weak default username and password (such as admin and admin). That is 14 attempts by real hackers to brute force their way into our devices every single hour.
Epson printer and ieGeek security targeted by hackers
An Epson printer was surprisingly the most attractive device to the real scammers in our test. Fortunately the attacks against this failed because it had reasonably strong default passwords in place – basic protection against the most common bulk attacks that plague smart homes. However, a wireless camera didn’t fare so well.
The £40 ieGeek security camera (pictured above) was bought from Amazon – it was labelled Amazon Choice and had more than 8,500 reviews (as of 22 June, 2021), including 68% giving the full five stars.
Not long after setting it up we detected that someone had accessed the device and could access the video feed, and had even changed some of the settings.
Fortunately, Amazon removed the camera from from sale following our report.
It stated ‘We require all products offered in our store to comply with applicable laws and regulations and have developed industry-leading tools to prevent unsafe or non-compliant products from being listed in our stores.’
For more, read our story on how the ieGeek security camera was hacked.
Why do people hack smart products?
The image above shows the origin of the hacking attempts from around the world. As you can see, hacking traffic comes from far and wide, but the vast majority appears to originate from the USA, India, Russia, the Netherlands and China.
The problem is that in many cases you have no idea of a hacker’s actual location. And in fact, hackers can often hide their locations by using other hacked devices, or even a network of compromised computers known as a botnet.
As soon as we connected the home to the internet we were being surveilled. As well as seeing the location where scans and attacks were coming from, we could also track the time of the attempts.
Not all such scanning activity is malicious, but criminals use it to find weak and vulnerable devices to prey upon. They might do this for various reasons, including ransomware, data theft, surveillance and more.
However, we estimate that 97% of all attacks against smart devices are in order to add them into Mirai, a sprawling botnet that probes for insecure devices, such as routers, wireless cameras and connected printers coming online.
Mirai uses brute-force attacks to guess weak passwords, installs a Trojan and adds them to the botnet. From here, the parasite can be used as a powerful hacking tool, such as in 2016 when it knocked Twitter, Amazon and other leading websites temporarily offline.
Why default passwords matter
Earlier this year the UK government announced that it will introduce a Product Security and Telecommunications Infrastructure Bill Act that will aim to regulate insecure connected products. Which? has played a central role in making this happen.
For the first time ever, it will become a legal requirement for any companies producing or selling smart devices in the UK to ensure that they meet a basic standard of security.
Among its provisions is that default passwords on connected products, such as ‘admin’ or ‘123456’, will in effect be made illegal. During the entirety of our test we saw a total of 2,684 attempts to guess weak default passwords on just five devices, including 2,260 alone against the ieGeek camera.
Epson and Canon printers, along with a Yale security system and a Samsung smart TV, were also targeted by hackers, but the presence of a slightly stronger and unique default password was able to fend off the attackers. A change that simple is the difference between getting hacked and not.
The legislation is expected to be introduced in 2022, but in the meantime Which? will continue to routinely test products for security, including whether they use default passwords. Smart devices that fail our tests and aren’t fixed will become Don’t Buys.
How to keep your smart home secure
While it was shocking to see how many hacking attempts were detected in our smart home, it was reassuring to see how many of them failed. But it’s important to shop carefully for any devices that can be connected to the internet, so you don’t put yourself at risk.
Which? runs detailed security checks on all the smart devices we test, and if we find issues, we’ll let you know. Find out how our new Security Notice can be an invaluable warning for at-risk products.
There are also simple steps you can take that will vastly improve your connected home security.
- Change default passwords: As you can see above, a weak default password is the easiest way for a device to get hacked. Always change any password that comes with the product you buy or already own.
- Enable all security: Take some time to see what security features are available in the manual or app settings. If two-factor authentication is available, use it as it can better protect your account.
- Run updates: Always install any security updates for the product or app so you’ve got the most recent protections. Under the new law, manufacturers must tell you how long your product will be supported with such updates when you buy it.
- Be wary of phishing: Some smart devices can be remotely exploited simply with a phishing message, enabling a hacker to fully compromise the device. So, always stay vigilant to any phishing messages sent to you via text or email.
- Take it back: If you believe a smart product you own is insecure, you could try returning it to the retailer for a refund.