We use cookies to allow us and selected partners to improve your experience and our advertising. By continuing to browse you consent to our use of cookies. You can understand more and change your cookies preferences here.


When you click on a retailer link on our site, we may earn affiliate commission to help fund our not-for-profit mission.Find out more.

16 Jul 2020

TP-link camera security flaw discovered in Which? tests as 'IoT law' moves closer

A vulnerability discovered during Which? testing that could have posed a risk to you and your data has now been fixed

From smart TVs to wireless cameras, we test a wide range of internet-connected products to ensure they will protect your privacy and security.

During our most recent security tests of wireless cameras, a model by TP-Link gave us sufficient cause for concern that we contacted the manufacturer. Fortunately, it was quick to roll out a fix.

The issue underlines the importance of standards to protect consumer security and privacy, and comes as the UK government publishes plans for a new law to ensure smart devices such as wireless cameras aren't vulnerable to being hacked by cybercriminals.

Wireless camera reviews - see highly rated indoor and outdoor wireless cameras that have passed our tough tests

TP-Link Tapo C200 vulnerability fixed

In May 2020, our testing flagged that the TP-Link Tapo C200 was vulnerable to an attack that could intercept data on the user.

An attacker would need to be on the same local network as the camera to exploit the vulnerability, but the hack had been around for more than five years, so there was no reason why such a big-brand camera should still be vulnerable to it.

Although the risk was not as serious as the widespread wireless camera vulnerability we reported on in June 2020, it was deemed sufficient enough for us to take action.

So, we contacted TP-Link and it created a fix, which it has now rolled out to all Tapo C200s. If you own this camera, go to the app and click on the button that updates the firmware. The rest will be taken care of automatically.

To find out how this camera rated overall for video quality, ease of use, features and more, read our full TP-Link Tapo C200 review.

New law to tackle smart product security

There are now around 20bn smart devices in use around the world, yet only around 13% of manufacturers embed even basic cybersecurity protections, according to data from the UK government.

A new smart products industry standard was introduced in June 2020, but it's only voluntary so manufacturers don't have to adhere to it with the products they make and sell.

So, the UK government's Department for Digital, Culture, Media & Sport has now published plans to make it law that all smart products sold in the UK comply by at least three baseline requirements:

  • Device passwords must be unique and not use generic and easily guessable terms, such as 'admin' and '123456'
  • Manufacturers must provide a point of contact for reporting security vulnerabilities, such as we did with TP-Link
  • You must be told for how long your product will receive updates (including vital security protections) when you buy it.

Bans, recalls and fines considered

The government is now consulting on its plans, which also include a range of enforcement measures for companies that flout the rules.

These potentially include:

  • Temporary or permanent bans on the sale of suspected unsecure smart products that breach regulations
  • Recall notices served to manufacturers or retailers selling insecure products
  • Court orders to confiscate and potentially destroy stocks of dangerous smart products
  • Fines for businesses selling them

Matt Warman, minister for digital infrastructure, said: 'This is a significant step forward in our plans to help make sure smart products are secure and people's privacy is protected.

'I urge organisations to respond to these proposals so we can make the UK the safest place to be online with pro-innovation regulation that inspires consumer confidence in our tech products.

'People should continue to change default passwords on their smart devices and regularly update software to help protect themselves from cybercriminals.'

Manufacturers and industry stakeholders have until September 2020 to respond to the plans.

Which? testing sets the security standard

Ahead of the new legislation potentially coming into force, Which? currently puts more than 30 different categories of smart products through rigorous and in-depth tests to ensure they protect your privacy and security. This includes wireless cameras, baby monitors, smart speakers and smart thermostats.

Only those with the highest standards can become Best Buys, and any devices that pose a significant risk to you and your data are labelled as Don't Buys.

Rocio Concha, director of advocacy at Which?, said: 'Which? has repeatedly exposed popular connected devices with serious security flaws that fall well short of agreed voluntary standards and leave consumers at the mercy of cybercriminals - so new laws to tackle this issue are an important step and can't come soon enough.

'Legislation, which must be backed by strong enforcement, should be introduced as soon as possible. In the meantime, retailers and online marketplaces must do more to prevent blatantly unsecure products being sold and manufacturers need to be more proactive at addressing security issues with their products.