More than 100,000 smart devices in the UK - and millions more worldwide - have been made more secure following Which? intervention to improve hacking protections.
The maker of CamHi - an app that has been downloaded millions of times globally - has imposed stronger password protections and other improvements following our exposure of various vulnerabilities.
We have also closed a security vulnerability with a Yale Burglar alarm after finding an issue in our testing. Read on for more on how we are working to make your smart devices more secure.
Working with US security researcher, Paul Marrapese, we showed in June 2020 how more than , leading to the user being spied on, have their data targeted or other devices they own potentially compromised.
In a subsequent investigation into , we found nearly 600 different products listed that used CamHi, including popular brands such as ieGeek. All of these devices had various significant security risks.
In a scan in December 2021, we found 108,000 CamHi devices online in the UK, but there were are 2.7 million such devices online worldwide. The real number is likely much higher as our scanning tools can only see so far.
Over the course of the past two years we have been working with HiChip, the company based in Shenzhen, China that is behind CamHi, to improve security on the app.
In our July 2021 hackable home investigation, an ieGeek camera running CamHi was after its weak default password was successfully breached. This shows the very real risk from devices using weak default logins with terms such as 'admin'.
Following a change by HiChip, all CamHi app devices when installed now must have their default password changed by the user.
There's no point making the user change their password, if they can then just pick a weak or easily guessable password of their own.
So, HiChip has agreed to enforce a strong password policy, particularly blocking generic terms such as 'password' and 'admin'.
For CamHi devices that are already set up in people's homes, the app will remind them to change the default password and warn them if what they have chosen is weak.
Another key aspect of the government's new product security law is that companies must have a clear security point of contact for the devices and apps they produce.
Previously, CamHi had the name Frank Zhao, HiChip's founder, listed on its Google Play store listing and a general Gmail address. As this was not clear enough, this has now been changed to the contact email, firstname.lastname@example.org.HipChip has said that an engineer will respond to anyone who contacts this email with an issue with the CamHi app.
If your smart device is running the CamHi app, you should update both the camera and the app to ensure you have the latest security protections.
Peter Han, HiChip's founder and general manager, told us: 'Thanks to the Which? team and Paul Marrapese, their professional knowledge and sense of responsibility have helped our company improve products security so much. These works have greatly improved the level of consumer privacy protection.
'We hope to continue to cooperate with Which? and Paul to make our products as secure as possible.'
HiChip is currently developing a cloud storage service for CamHi and hopes to launch this in early 2022. We have agreed to give advice on how to make this as secure as possible for users.
At Which?, we want consumers to be able to buy smart devices with confidence - that's why we run rigorous security and privacy tests in over 30 smart device categories, to ensure you are afforded strong protection against hackers and cyber-threats.
Using smart devices in the home that don't offer sufficient protection just isn't worth the risk, which is why we clearly flag in our reviews if a device is vulnerable, and work with companies to improve standards.
We put smart products through a barrage of assessments to see how well they fend off hacking attacks.
'As part of our dedication to provide security and peace of mind to our customers, the software update for the Sync Smart Home Alarm has been syndicated to all current users. It has also been built into the system of all available Sync Smart Home Alarms,' Yale told us.
'The update to the software means there will be no way for a user to access or enable the Web UI functionality, ensuring the security of the user.
'At Yale, the security of our customers has always been our priority. Yale will continue to ensure all security products are regularly updated and tested to ensure they are meeting and exceeding the required standards.'
Find out how you could be at risk due to insecure smart home tech.
When it comes to products that can pose a security or privacy risk to you, more must be done to prevent them going on sale.
Manufacturers must have clear points of contacts so that vulnerabilities can be disclosed with their products, and then respond to the issues positively and proactively.
Under the law you will be told how long your product will be supported with security updates when you buy it - but we also want manufacturers to support products for as long as possible.
There are huge benefits to buying and owning smart products. Butif a smart product isn't made with good security, it just isn't safe. And if it isn't safe, it shouldn't be on sale.