More than 100,000 smart devices in the UK – and millions more worldwide – have been made more secure following Which? intervention to improve hacking protections.
The maker of CamHi – an app that has been downloaded millions of times globally – has imposed stronger password protections and other improvements following our exposure of various vulnerabilities.
We have also closed a security vulnerability with a Yale Burglar alarm after finding an issue in our testing. Read on for more on how we are working to make your smart devices more secure.
Smart home reviews – browse reviews of cameras, doorbells and more, fully checked for privacy and security
Security risks leave wireless cameras open to being hacked
We first reported concerns with wireless cameras running a mobile app called CamHi back in 2019.
Working with US security researcher, Paul Marrapese, we showed in June 2020 how more than 100,000 devices being used by real UK consumers could be trivially hacked, leading to the user being spied on, have their data targeted or other devices they own potentially compromised.
In a subsequent investigation into insecure smart tech being sold on UK marketplaces, we found nearly 600 different products listed that used CamHi, including popular brands such as ieGeek. All of these devices had various significant security risks.
In a scan in December 2021, we found 108,000 CamHi devices online in the UK, but there were are 2.7 million such devices online worldwide. The real number is likely much higher as our scanning tools can only see so far.
Working with HiChip to improve CamHi security
Over the course of the past two years we have been working with HiChip, the company based in Shenzhen, China that is behind CamHi, to improve security on the app.
In our July 2021 hackable home investigation, an ieGeek camera running CamHi was hacked by real cybercriminals after its weak default password was successfully breached. This shows the very real risk from devices using weak default logins with terms such as ‘admin’.
Following a change by HiChip, all CamHi app devices when installed now must have their default password changed by the user.
This change, which comes in ahead of the UK government banning the use of default passwords, will vastly enhance security for the user.
There’s no point making the user change their password, if they can then just pick a weak or easily guessable password of their own.
So, HiChip has agreed to enforce a strong password policy, particularly blocking generic terms such as ‘password’ and ‘admin’.
For CamHi devices that are already set up in people’s homes, the app will remind them to change the default password and warn them if what they have chosen is weak.
Another key aspect of the government’s new product security law is that companies must have a clear security point of contact for the devices and apps they produce.
Previously, CamHi had the name Frank Zhao, HiChip’s founder, listed on its Google Play store listing and a general Gmail address. As this was not clear enough, this has now been changed to the contact email, firstname.lastname@example.org. HipChip has said that an engineer will respond to anyone who contacts this email with an issue with the CamHi app.
If your smart device is running the CamHi app, you should update both the camera and the app to ensure you have the latest security protections.
Peter Han, HiChip’s founder and general manager, told us: ‘Thanks to the Which? team and Paul Marrapese, their professional knowledge and sense of responsibility have helped our company improve products security so much. These works have greatly improved the level of consumer privacy protection.
‘We hope to continue to cooperate with Which? and Paul to make our products as secure as possible.’
HiChip is currently developing a cloud storage service for CamHi and hopes to launch this in early 2022. We have agreed to give advice on how to make this as secure as possible for users.
Security testing at Which?
At Which?, we want consumers to be able to buy smart devices with confidence – that’s why we run rigorous security and privacy tests in over 30 smart device categories, to ensure you are afforded strong protection against hackers and cyber-threats.
And this threat is real – we recently exposed a home full of connected devices to the internet and detected over 12,000 attempted hacking or scan attempts in just a week.
Using smart devices in the home that don’t offer sufficient protection just isn’t worth the risk, which is why we clearly flag in our reviews if a device is vulnerable, and work with companies to improve standards.
Yale alarm made more secure
We put smart products through a barrage of assessments to see how well they fend off hacking attacks.
We recently reported on an issue with a Yale smart alarm that could enable a cybercriminal to access a web interface for the alarm, potentially enabling them to control the system, including arming and disarming.
We contacted Yale about the issue with the Yale IA320 Starter Kit and it has successfully released a fix, which we have since verified.
‘As part of our dedication to provide security and peace of mind to our customers, the software update for the Sync Smart Home Alarm has been syndicated to all current users. It has also been built into the system of all available Sync Smart Home Alarms,’ Yale told us.
‘The update to the software means there will be no way for a user to access or enable the Web UI functionality, ensuring the security of the user.
‘At Yale, the security of our customers has always been our priority. Yale will continue to ensure all security products are regularly updated and tested to ensure they are meeting and exceeding the required standards.’
Video: how hackers target your smart home devices
Find out how you could be at risk due to insecure smart home tech.
Regulation required for insecure smart devices
When it comes to products that can pose a security or privacy risk to you, more must be done to prevent them going on sale.
We support the new government legislation that will attempt to put in place a baseline of security for smart products. However, we know that it won’t go far enough to fully deal with the problem.
Manufacturers must have clear points of contacts so that vulnerabilities can be disclosed with their products, and then respond to the issues positively and proactively.
Under the law you will be told how long your product will be supported with security updates when you buy it – but we also want manufacturers to support products for as long as possible.
There are huge benefits to buying and owning smart products. But if a smart product isn’t made with good security, it just isn’t safe. And if it isn’t safe, it shouldn’t be on sale.