From smart doorbells that could open the door to hackers, to tablets long past their use-by date, we've found 1,839 individual products listed on UK online marketplaces - Amazon, eBay and AliExpress - that are suspected to have security and privacy risks.
As insecure devices could leave you open to being targeted by hackers, it's important to do your research when shopping for smart devices.
Read on for more on our investigation, along with in-depth advice on buying, using and also returning smart products with security issues.
Find out how you could be at risk due to insecure smart home tech.
There are thousands of smart devices on sale online, so even the close to 2,000 that made up our investigation doesn't cover every product you can buy.
The situation becomes even more difficult to judge when the product doesn't have a brand attached to it. For example, in a search on eBay on a single day in October 2021 we found that there were 2,640 smart doorbells listed as 'unbranded', and 8,022 unbranded wireless cameras.
So, we instead focused on the apps that we know from previous research are used by many devices to get online.
We combined in-depth testing and knowledge of generic and clone smart products, with a method called web scraping. This involves us taking key terms, such as the name of an app, and then trawling the marketplaces for listings that mention this term.
After fully checking over the data, we can give a picture on just how many devices we think are on sale that all use the same app or characteristic, and so could have similar problems.
1,727 of the products we found, including devices that were unbranded, from little-known brands or suspected clones of legitimate items, used just four apps - Aiwit, CamHi, CloudEdge and Smart Life.
Working with security experts, 6point6 and NCC Group, we found that all these apps had potential security issues that could make them easy prey for hackers, or other issues that could put your privacy at risk.
The products we found were certainly popular. The identified devices had 37,129 reviews on Amazon at an average 4.1 star rating, with 15 featuring Amazon Choice labels.
Based on the data we had available, the devices found on AliExpress appeared to have sold more than 240,000 units collectively. We were unable to find sales data for eBay devices.
As many of the security and privacy issues we've found still remain active, we are not publishing any individual details on vulnerabilities. If you have one of these products, scroll to the bottom of the page for tips on how to increase your security.
In October 2021, we found 117 devices running Cloudedge across the three major online markplaces. Our research team also found a whole host of problems with the Cloudedge app.
Although the developer is listed on Google Play as either Arenti Europe or Brian Borghardt, CloudEdge is actually operated by Meari Technologies.
We have contacted Meari about our security/privacy findings on CloudEdge but it did not respond by time of publication.
We found 596 products running CamHi/CamHi Pro in October 2021, with the vast majority being listed at AliExpress.
We still have concerns about CamHi, however, and have put these again to the developer, HiChip, (Mr Frank Zhao, HiChip's founder, is listed as CamHi's developer on app stores), and its business partner, ieGeek.
HiChip has responded well to our disclosure and already moved to address many of our concerns we remain in talks with the company at time of publication.
'Thanks to the Which? team for letting us know the security risks,' a HiChip spokesperson told us.
'Many users don't change the default password of the IP camera, so we have modified our CamHi and CamHi Pro apps so that users must change the password. And we will enforce a stronger password policy in the next app version.'
HiChip has said that it will add a vulnerability disclosure policy to CamHi app store listings to make it easier for security researchers to disclose future vulnerabilities.
Aiwit is the only app we looked at where the developer is clearly listed on app stores - Eken Technologies.
We found 76 devices running Aiwit, mostly cameras and smart doorbells, such as the model in the picture below (which looks very similar to a Ring doorbell).
Although Aiwit was running on the least devices of all the apps we assessed, we discovered a range of security and privacy concerns with the software.
Despite multiple attempts, Eken did not respond when we contacted it and so these issues remain unresolved. If you have a device that runs Aiwit, make sure you review our security advice further down this article.
With 938 individual products found on the three marketplaces running an app called Smart Life, this app is fast becoming an IoT platform akin to Philips Hue or Apple HomeKit.
There is a huge variety of Smart Life devices - from security cameras to water leak sensors to even smoke alarms.
While the listed developer of Smart Life on app stores is Volcano Technology, we've found that it is actually a subsidiary of Tuya, a large IoT services provider.
Tuya, which maintains the app, responded to us and fixed a password security issue in the app we found.
There aren't many decent Android tablets for under £100 (Amazon's cheap Fire tablet range runs a modified or 'forked' version of the operating system). So, you could be tempted to trawl the marketplaces for an older, cheaper model.
Before you buy, however, you need to consider whether the operating system is still supported with updates.
When we scraped AliExpress in October 2021, we found 25 Android tablets running an out-of-date version of Android (deemed as Android 7.0 or earlier). However, we found a lot more (87) old Android tablets when we scraped eBay.
These eBay tablets were clearly listed for sale running Android 7.0 or earlier, which Google and the tablet brands stopped supporting more than two years ago. Many tablets ran Android 4.4 KitKat, which had its last update more than seven years ago.
You might think they are mostly second-hand tablets being sold by former owners. In fact, 61 were listed as new or 'opened but never used' on eBay. Many of these tablets were also actively being marketed as for use by children.
Don't buy anything running Android 8 or earlier. We also advise caution on buying a tablet running Android 9 as it was due to lose support in October. Go for Android 10 or 11 if you can.
We contacted all the three online marketplaces about our findings.
AliExpresssaid that it appreciated us bringing this to its attention and confirmed that it is looking into the problems we found, but did not provide further comment at this time.
Amazon said: 'Safety is important to Amazon and we want customers to shop with confidence on our stores. We have proactive measures in place to prevent suspicious or non-compliant products from being listed and we monitor the products sold in our stores for product safety concerns.'
eBay told us: 'eBay encourages all members to take appropriate security precautions with any internet connected devices purchased on the marketplace, in the same way they would with their other connected devices. The items shared with us by Which? are permitted for sale on eBay and do not violate our policies.
'Our sellers must ensure their listings comply with any applicable laws, any listings on our platform that do not comply with UK regulations or that violate our policies will be removed with appropriate enforcement action taken against sellers.
'If the UK Government introduces new regulations in this area, sellers will of course have to comply with them.'
When it comes to products that can pose a security or privacy risk, Which? believes that more must be done to prevent them from going on sale.
However, considering that none of the products we found in this investigation would comply with the law, the challenge of regulating smart devices is huge. We are also concerned that the law won't go far enough.
While the PSTI law will make it law that you must be told how long your product will get updates when you buy it, we also want manufacturers to support products for as long as possible.
There are huge benefits to buying and owning smart products. They make it easier to live our lives, whether that's controlling our heating or watching Netflix on a smart TV.
However, if a smart product isn't made with good security, it just isn't safe. And if it isn't safe, it shouldn't be on sale.
Follow our tips on how to spot potentially insecure tech when shopping for new smart devices.
However, there are steps you can take to increase your security.
What happens if you buy or own a smart product with a security risk and want to take it back? There isn't currently a legal requirement that requires products you buy to meet a certain level of security. The PSTI will change that when it comes into force.
The Consumer Rights Act 2015 requires goods to be 'as described' and of 'satisfactory quality', which means products meeting the standard that a reasonable person would expect so that they are fit for their usual purpose. Failure to meet these requirements means you could, depending on the circumstances, have the right to ask for some or all of your money back, a repair, or replacement.
The UK government has said that the PSTI bill will eventually 'fit within this legal framework', so it's worth contacting the place where you bought the smart goods about the security issue. Depending on how long ago you bought the product, you might have to prove the case, possibly by using a report from Which? or another reputable source.
If unsuccessful, you could escalate the case to a small claims court, but you'll need to convince the judge that you have a case. Alternatively, if the product cost more than £100 and you paid by credit card you could put a claim to your card provider as Section 75 of the Consumer Credit makes the card provider jointly liable for any breaches of contract.