A home filled with smart devices could be exposed to more than 12,000 hacking or unknown scanning attacks from across the world in a single week, a new Which? investigation has found.
We created a fake smart home and set up a range of real consumer devices, from televisions to thermostats to smart security systems and even a smart kettle - and hooked it up to the internet.
What happened next was a deluge of attempts by cybercriminals and other unknown actors to break into our devices, at one stage reaching 14 hacking attempts every single hour.
While most products were able fend off the assault, a wireless camera bought from Amazon was hacked and a stranger used it to try and spy on our home. Read on for the full report.
We set up our test home in collaboration with NCC Group and IoT malware specialists, the Global Cyber Alliance (GCA), and the scale of scanning and hacking activity against the devices was breathtaking.
The lab started off slowly in May 2021 - in our first week of testing we saw 1,017 unique scans or hacking attempts coming from all around the world, with at least 66 of these being for malicious purposes. However, this built into June and during the busiest week of testing we saw 12,807 unique scans/attack attempts against the home devices.
In that week alone there were 2,435 specific attempts to maliciously log into the devices with a weak default username and password (such as admin and admin). That is 14 attempts by real hackers to brute force their way into our devices every single hour.
An Epson printer was surprisingly the most attractive device to the real scammers in our test. Fortunately the attacks against this failed because it had reasonably strong default passwords in place - basic protection against the most common bulk attacks that plague smart homes. However, a wireless camera didn't fare so well.
The £40 ieGeek security camera (pictured above) was bought from Amazon - it was labelled Amazon Choice and had more than 8,500 reviews (as of 22 June, 2021), including 68% giving the full five stars.
Not long after setting it up we detected that someone had accessed the device and could access the video feed, and had even changed some of the settings.
Fortunately, Amazon removed the camera from from sale following our report.
It stated 'We require all products offered in our store to comply with applicable laws and regulations and have developed industry-leading tools to prevent unsafe or non-compliant products from being listed in our stores.'
The image above shows the origin of the hacking attempts from around the world. As you can see, hacking traffic comes from far and wide, but the vast majority appears to originate from the USA, India, Russia, the Netherlands and China.
The problem is that in many cases you have no idea of a hacker's actual location. And in fact, hackers can often hide their locations by using other hacked devices, or even a network of compromised computers known as a botnet.
As soon as we connected the home to the internet we were being surveilled. As well as seeing the location where scans and attacks were coming from, we could also track the time of the attempts.
Not all such scanning activity is malicious, but criminals use it to find weak and vulnerable devices to prey upon. They might do this for various reasons, including ransomware, data theft, surveillance and more.
However, we estimate that 97% of all attacks against smart devices are in order to add them into Mirai, a sprawling botnet that probes for insecure devices, such as routers, wireless cameras and connected printers coming online.
Mirai uses brute-force attacks to guess weak passwords, installs a Trojan and adds them to the botnet. From here, the parasite can be used as a powerful hacking tool, such as in 2016 when it knocked Twitter, Amazon and other leading websites temporarily offline.
For the first time ever, it will become a legal requirement for any companies producing or selling smart devices in the UK to ensure that they meet a basic standard of security.
Among its provisions is that default passwords on connected products, such as 'admin' or '123456', will in effect be made illegal. During the entirety of our test we saw a total of 2,684 attempts to guess weak default passwords on just five devices, including 2,260 alone against the ieGeek camera.
Epson and Canon printers, along with a Yale security system and a Samsung smart TV, were also targeted by hackers, but the presence of a slightly stronger and unique default password was able to fend off the attackers. A change that simple is the difference between getting hacked and not.
The legislation is expected to be introduced in 2022, but in the meantime Which? will continue to routinely test products for security, including whether they use default passwords. Smart devices that fail our tests and aren't fixed will become Don't Buys.
While it was shocking to see how many hacking attempts were detected in our smart home, it was reassuring to see how many of them failed. But it's important to shop carefully for any devices that can be connected to the internet, so you don't put yourself at risk.
There are also simple steps you can take that will vastly improve your connected home security.