We use cookies to allow us and selected partners to improve your experience and our advertising. By continuing to browse you consent to our use of cookies. You can understand more and change your cookies preferences here.
Poor security and inadequate support periods on popular smart devices could be putting consumers at risk, Which? has found, after an investigation revealed just how easily hackers could access popular smart tech.
To find out how detrimental poor security can be, we purchased eight products from recognisable brands like Samsung, Amazon, Google and others, set them all up in a simulated home and invited ethical hackers to attack them. Many of these devices, most of which sold in their thousands, are quite likely to still be sitting around in our homes today.
While some of the products we tested were still supported, the majority had been ‘abandoned’ by the manufacturer – the support period had ended. So, how risky is it to have one of these in your home?
From a doorbell to a smartphone, our hackers ripped through the security in all of them. This opened up a range of malicious opportunities, including surveillance, data theft, and more.
Tech tips you can trust – get our free Tech newsletter for advice, news, deals and stuff the manuals don’t tell you
Listen to our podcast as we take a look at the safety of the connected devices in your home and how likely they are to be the target of hackers.
From baby monitors to smart speakers, chances are your home is filled with smart devices. But without you knowing it, some of these products may have inadequate security against threats, or have even been effectively abandoned by the manufacturer. And they’re now at risk of being hacked.
Unlike traditional products, smart devices only last as long as the software is supported, and unfortunately it’s not uncommon for a manufacturer to stop supporting a product just a few years after it’s released.
Add to this the fact that we’ve seen time and again how security standards fail to make the grade from the off, and it’s clear that far more needs to be done to tackle this emerging issue.
In a matter of weeks, our ethical hackers found 37 vulnerabilities with the test devices, including 12 rated as high risk and one as critical. These included:
Smartphones work slightly differently to other devices in that they have a well-known operating system that runs on them. In the case of the Samsung Galaxy S8, this is Android. This device stopped being supported in April 2021, and we had no problem infecting it with malware, which could lead to data theft, tracking and spam adverts.
We hit the device with Flubot malware, disguised as a DHL delivery text, and within 10 seconds the phone owner’s data, which could include banking and financial information, credit card details and passwords from SMS messages, was being sent over the internet. The attack would have been better blocked or detected by a device that was still receiving security updates.
Use the Which? phone support calculator to see how long a mobile phone will remain supported with important updates.
Although Amazon’s Ring effectively launched the smart doorbells market, Google’s Nest wasn’t too far behind with the Nest Hello. Despite being heavily marketed at its launch, the Google Nest Hello has since been surpassed by a newer version, and now the older model is developing security issues.
Our hackers were able to exploit what is known as a Denial of Service (DoS) attack, which effectively is a way to spam the device with requests so that it goes offline. An attacker could use this to stop your doorbell from recording if they want to approach your home.
We run all video doorbells we test through stringent security checks. Read our video doorbell reviews to find a model you can rely on.
Following its UK release in 2017, Amazon’s Echo effectively kick-started the smart speaker market. The public instantly loved this gadget that could play music and podcasts, or just respond to questions put to voice assistant Alexa.
Our ethical hackers looked at a first generation Amazon Echo smart speaker, believed by Which? to have lost security support in autumn 2021. Using a pre-existing vulnerability, researchers were able to exploit a physical attack giving remote control over the device. From here, an attacker could steal user data and even stream the live microphone, all without the user knowing.
Browse our wireless and bluetooth speaker reviews to find devices with voice control that you can trust.
We’ve previously revealed problems with old internet routers that are no longer supported, but still being used in people’s homes. This includes the Virgin Media Super Hub 2. So, it’s not surprising that our hackers made light work of compromising the router and discovering a way to retrieve password information.
From here, they could access your wi-fi, monitor what you were surfing and mount attacks on other connected devices.
Use our wireless router support tool to find out if you're still using a model that could be putting you at risk.
The Liv Cam baby monitor stopped being sold by popular baby products brand, Summer Infant, in early 2020 but it can still be found on second-hand online marketplaces.
The app was last updated in September 2016 and Which?’s researchers were able to retrieve the camera’s password and access the video and the audio feed.
This product uses an open wi-fi network, meaning it would be possible for a neighbour to snoop on the baby monitor, or even talk to the child.
We test baby monitors, and make sure any recommend pass our stringent security exam. Read our baby monitor reviews to find Best Buys for under £40.
We found other issues with devices that show why security standards need improving beyond support periods. These included:
HP said: 'We value the work Which? is doing to raise awareness around printer security and industry-wide design challenges. To protect against continually evolving security risks, HP recommends customers set strong, unique passwords and use auto firmware updates to best secure their devices. HP is committed to advancing our existing and future products to be the most secure in the industry.'
Google's Nest said that the issue with the Nest Hello that we disclosed to them has now been fixed.
Wemo said: "Wemo is designed to provide compatibility and seamless interoperability with a variety of applications and smart home systems, while being secure from unauthorized remote access. For many reasons, it is important that consumers take precautions to guard against potential network breaches or attacks of their home network such as using unique passwords, using a secure router, keeping firmware updated on all devices, just to name a few. Furthermore, as Wemo doubles down on Thread, HomeKit and soon-to-come Matter secure platforms, we are already evolving our smart home portfolio to leverage the latest security technologies."
Any Virgin customers still using the Super Hub 2 should request an upgrade. Virgin has told Which? in the past that customers can request a new router for free through its app, or if concerned should contact customer services.
Which? has also shared its findings with Amazon and Philips, but neither had supplied a comment by the time of publication. Which? remains in ongoing dialogue with the companies.
Which? did not contact Samsung and Summer Infant for comment as their devices are confirmed to be out of their official support window.
While you can go to a local shop and get your iPhone screen fixed, there isn’t a repair shop in the world that could address a critical security vulnerability with the iOS software that runs on it. Only Apple can do that. So, we rely on companies to support products for as long as possible, to a high enough standard, and also to communicate this clearly to their customers.
However, too often you are left in the dark when you buy a smart product. That's bad enough for devices like phones or tablets, but could quickly become an environmental nightmare as bulky items such as fridges and washing machines head to landfill faster than they should.
Following years of campaigning by Which?, the government has now introduced the Product Security and Telecommunications Infrastructure (PSTI) Bill. Among various security requirements for smart products, companies will have to be transparent with you about how long they will support smart products when you buy them.
However, we believe that this doesn't go far enough. We have to ensure that this information doesn’t prove misleading, such as vague claims of ‘lifetime updates’ or ‘up to’ three years, which actually proves to be just one.
The PSTI Bill is currently going through Parliament. The Bill will make it law that most smart products sold will have to meet a basic level of security standards, and give regulators the power to fine companies that break the rules.
After repeatedly calling for tough rules on insecure smart devices, Which? Is broadly supportive of the PSTI Bill, but feels it could go further in three key areas;
Rocio Concha, Which? Director of Policy and Advocacy, said: 'Our latest investigation highlights the real-life dangers posed by smart products from some of the biggest tech brands that are no longer adequately protected from cybercriminals. These weaknesses can lead to significant economic damage - but it is chilling to think that they can also be exploited by domestic abusers.
'The Product Security and Telecommunications Infrastructure Bill (PSTI) is a step in the right direction. However, the government needs to ensure manufacturers and sellers are clear about exactly how long products will receive security updates – and they should go even further by introducing mandatory minimum periods for how long different types of smart products must be supported.'
While you might expect any smart device you buy to have your privacy and security top of its list of priorities, we've shown that this isn't always the case. Fortunately, there are things you can do to ensure that you minimise any risks.