From smart TVs to wireless cameras, we test a wide range of internet-connected products to ensure they will protect your privacy and security.
During our most recent security tests of wireless cameras, a model by TP-Link gave us sufficient cause for concern that we contacted the manufacturer. Fortunately, it was quick to roll out a fix.
The issue underlines the importance of standards to protect consumer security and privacy, and comes as the UK government publishes plans for a new law to ensure smart devices such as wireless cameras aren't vulnerable to being hacked by cybercriminals.
In May 2020, our testing flagged that the TP-Link Tapo C200 was vulnerable to an attack that could intercept data on the user.
An attacker would need to be on the same local network as the camera to exploit the vulnerability, but the hack had been around for more than five years, so there was no reason why such a big-brand camera should still be vulnerable to it.
So, we contacted TP-Link and it created a fix, which it has now rolled out to all Tapo C200s. If you own this camera, go to the app and click on the button that updates the firmware. The rest will be taken care of automatically.
There are now around 20bn smart devices in use around the world, yet only around 13% of manufacturers embed even basic cybersecurity protections, according to data from the UK government.
A new smart products industry standard was introduced in June 2020, but it's only voluntary so manufacturers don't have to adhere to it with the products they make and sell.
So, the UK government's Department for Digital, Culture, Media & Sport has now published plans to make it law that all smart products sold in the UK comply by at least three baseline requirements:
The government is now consulting on its plans, which also include a range of enforcement measures for companies that flout the rules.
These potentially include:
Matt Warman, minister for digital infrastructure, said: 'This is a significant step forward in our plans to help make sure smart products are secure and people's privacy is protected.
'I urge organisations to respond to these proposals so we can make the UK the safest place to be online with pro-innovation regulation that inspires consumer confidence in our tech products.
'People should continue to change default passwords on their smart devices and regularly update software to help protect themselves from cybercriminals.'
Manufacturers and industry stakeholders have until September 2020 to respond to the plans.
Ahead of the new legislation potentially coming into force, Which? currently puts more than 30 different categories of smart products through rigorous and in-depth tests to ensure they protect your privacy and security. This includes , , and .
Only those with the highest standards can become Best Buys, and any devices that pose a significant risk to you and your data are labelled as Don't Buys.
Rocio Concha, director of advocacy at Which?, said: 'Which? has repeatedly exposed popular connected devices with serious security flaws that fall well short of agreed voluntary standards and leave consumers at the mercy of cybercriminals - so new laws to tackle this issue are an important step and can't come soon enough.
'Legislation, which must be backed by strong enforcement, should be introduced as soon as possible. In the meantime, retailers and online marketplaces must do more to prevent blatantly unsecure products being sold and manufacturers need to be more proactive at addressing security issues with their products.