Smart home devices from companies such as Amazon and Google can be hacked and used to crash websites, steal data and snoop on users, an investigation reveals.
Consumer group Which? has found poor security on eight smart devices, some of which are no longer supported with vital security updates due to their age.
Examples include the first generation Amazon Echo smart speaker, released in 2014, and a Virgin Media internet router from 2017.
All of the products had vulnerabilities that could leave users exposed to cybercriminals, Which? found.
Domestic abuse survivors can also be tracked and controlled by ex-partners who exploit weak security on devices including Wi-Fi routers and security cameras.
For its investigation, Which? purchased eight products from different brands and set them all up in a simulated home before inviting ‘ethical hackers’ to attack them. In total, Which? found 37 vulnerabilities across the eight test devices, including 12 rated as high risk and one rated as critical
Smart home devices from companies such as Amazon and Google can be hacked and used to crash websites, steal data and snoop on users, an investigation reveals. The first generation Amazon Echo smart speaker (pictured) was released in 2014
In total, Which? found 37 vulnerabilities across the eight test devices, including 12 rated as high risk and one rated as critical.
The London-based consumer champion now says the UK government should set out minimum periods of time smart products must receive vital security support for.
THE EIGHT SMART HOME PRODUCTS
– Amazon Echo smart speaker (first-gen)
– Google Nest Hello video doorbell
– Samsung Galaxy S8 Android smartphone
– Virgin Media Super Hub 2
– Liv Cam baby monitor
– Philips TV
– HP Deskjet inkjet printer
– Wemo smart plug
‘Our latest investigation highlights the real-life dangers posed by smart products from some of the biggest tech brands that are no longer adequately protected from cybercriminals,’ said Rocio Concha, Which? director of policy and advocacy.
‘These weaknesses can lead to significant economic damage, but it is chilling to think that they can also be exploited by domestic abusers.’
For its investigation, Which? purchased eight products from different brands and set them all up in a simulated home before inviting ‘ethical hackers’ to attack them.
Ethical hackers penetrate a computer systems or networks on behalf of its owners, and with their permission, often for the purposes of research.
As well as the first generation Amazon Echo and the Google doorbell, the list included the Samsung Galaxy S8 Android smartphone, the Wemo smart plug and the Liv Cam baby monitor.
Which? selected these products because they are likely to be sitting in the homes of thousands of consumers, even though they are not newly-released.
Some of these products had been abandoned by the manufacturer within five years since their launch.
For example, the first generation Amazon Echo smart speaker lost security support in autumn 2021, Which? said.
Using a pre-existing vulnerability, researchers were able to exploit a physical attack giving remote control over Amazon’s device.
In real life, an attacker could steal user data and even stream the device’s live microphone, all without the user knowing.
In response, an Amazon spokesperson said: ‘Privacy and security are foundational to how we design and deliver devices, features, and experiences.
‘We released a fix for this issue for 2nd generation Echo devices in 2017, and all newer Echo devices are not impacted by this issue.’
The spokesperson also said there are factors that ‘decrease the real-world likelihood of this issue impacting customers’.
A malicious actor needs to be in possession of a first generation Echo device and have the ability to access the device hardware, as well as the skills to install an external memory reader on the device, for example.
Samsung Galaxy S8 Android smartphone (pictured) was easily infected with malware which could lead to data theft, tracking and spam adverts, Which? found
Using a Google Nest Hello video doorbell (pictured) hackers were able to spam the device with requests so that it was knocked offline
Is Alexa turning into HAL? Amazon says its virtual assistant is becoming more ‘proactive’
Amazon is working to improve the sophistication of its Alexa virtual assistant so that it can make decisions for itself, the company has revealed.
The US tech giant claims the technology will learn about its owner’s habits and perform tasks – such as switching off lights or turning on the TV – without even being asked.
Some of the company’s new model Echo speaker devices, which have Alexa built into them, include an ultrasound motion detection function to automatically sense when a person enters the room.
The company also recently unveiled an Alexa-powered home robot called Astro, which has been designed to be a security device as well as help with caregiving.
The proposals evoke echoes of HAL 9000, the sentient artificial intelligence which featured in the sci-fi novel and film 2001: A Space Odyssey.
HAL was initially a benign source of information and a caretaker for the systems on the Discovery One spacecraft, but it eventually became autonomous, refusing commands and threatening the crew.
Meanwhile, on a Google Nest Hello video doorbell, hackers were able to spam the device with requests so that it was knocked offline.
An attacker could use this to stop the user’s doorbell from recording if they want to approach the owner’s home.
Google has told MailOnline that this issue with the Google Nest Hello has been resolved.
According to Google’s website, this device is being supported by security updates until beyond 2023, which is five years after it was released.
‘Google Nest connected home devices will receive automatic security updates for at least five years from the date that we start selling them on the US Google Store,’ Google says.
‘Security updates will address critical issues known to Google Nest that are able to be patched with a remote software update.’
Samsung’s Galaxy S8 Android smartphone, which stopped being supported with security updates in April 2021, was easily infected with malware, which could lead to data theft, tracking and spam adverts.
Researchers infected it with Flubot malware, disguised as a DHL delivery text, that within 10 seconds leads to access to the phone owner’s data.
This could mean banking and financial information, credit card details and passwords from text messages being sent all over the internet.
The attack would have been better blocked or detected by a device that was still receiving security updates, Which? said.
Ethical hackers could also compromise the unsupported Virgin Media Super Hub 2 router, already found by Which? to be at risk back in 2017.
Gaining control of the device allows criminals to access people’s Wi-Fi, monitor what websites they were visiting and mount attacks on other connected devices.
Any Virgin customers still using the Super Hub 2 should request a new router for free through Virgin’s app or they can contact customer services.
The Liv Cam baby monitor stopped being sold by popular baby products brand, Summer Infant, in early 2020 but it can still be found on second-hand online marketplaces.
The monitor partners with an app that was last updated in September 2016.
Any Virgin customers still using the Super Hub 2 router (pictured) should request an upgrade, according to Which?
Which? found minor issues with an HP Deskjet inkjet printer, but much more serious problems with a Wemo smart plug (pictured), both of which are believed to still be receiving updates
Which? researchers were able to retrieve the camera’s password and access the video and the audio feed.
This product uses an open Wi-Fi network, meaning it would be possible for a neighbour to snoop on the baby monitor, or even talk to the child.
A Philips TV, which is supposed to still be supported with updates, could be hacked using an easily guessable default password.
Anyone within range could connect to the TV to access information on the user or could even put an image on the screen pretending to be from Netflix.
This could direct the homeowner to a phishing URL where they are encouraged to re-enter their account or payment details.
Which? found minor issues with an HP Deskjet inkjet printer, but much more serious problems with a Wemo smart plug, both of which are believed to still be receiving updates.
In response, HP said in a statement: ‘We value the work Which? is doing to raise awareness around printer security and industry-wide design challenges.
‘To protect against continually evolving security risks, HP recommends customers set strong, unique passwords and use auto firmware updates to best secure their devices.
‘HP is committed to advancing our existing and future products to be the most secure in the industry.’
Which? has shared its findings with Philips and Wemo, but neither had supplied a comment by the time of publication.
The consumer group is hopeful that the government’s Product Security and Telecommunications Infrastructure (PSTI) Bill, now making its way through parliament, will make firms state clearly hoe long they will support smart products.
Which? is calling for assurances that products will be clearly labelled with exactly how long they will last, rather than vague terms like ‘up to’ five years of support, or ‘lifetime updates’.
The consumer champion also wants the government to introduce mandatory minimum periods for how long different types of smart products must be supported, which will have to differ depending on the device.
WHICH? PROVIDES ADVICE FOR CONSUMERS WITH OLDER DEVICES
1. Run a tech audit
First, make sure you review all the smart devices you have connected at home. When did you buy them? Are they still on sale?
Check whether they have recently been updated – either check the app, with the manufacturer, or visit which.co.uk/device-support.
2. Take security measures
For all still supported devices, make sure they are updated to the latest software.
If a password is used, ensure it’s a strong one that you set yourself. If you can add on two-factor authentication, make sure you do.
If a device you own is no longer supported, it’s best to upgrade.
It will be annoying to ditch a product that is still in working order, but it’s just not worth taking the risk of it being exploited by a malicious hacker or scammer.
4. Legal rights
If you have a device that’s less than six years old and no longer supported, you could try to argue that you deserve a refund or replacement.
Currently, security is not well defined in law, but try contacting the retailer to see if you can make the case that your product is no longer fit for purpose or of satisfactory quality.