Which? finds poor security in smart-home devices

  • June 13, 2022
  • Steve Rogerson

Poor security and inadequate support periods on popular smart-home devices could be putting consumers at risk, according to UK consumer group Which?.

To find how detrimental poor security can be, it purchased eight products from recognisable brands including Samsung, Amazon and Google, set them up in a simulated home, and invited ethical hackers to attack them.

While some of the products tested were still supported, the majority had been abandoned by the manufacturer as the support period had ended, but many are still working in people’s homes. From a doorbell to a smartphone, the hackers ripped through the security in all of them. This opened up a range of malicious opportunities, including surveillance and data theft.

In a matter of weeks, the hackers found 37 vulnerabilities with the test devices, including 12 rated as high risk and one as critical.

These included the Samsung Galaxy S8 smartphone infected with malware. Smartphones work slightly differently to other devices in that they have a well-known operating system that runs on them. In the case of the Galaxy S8, this is Android. This device stopped being supported in April 2021, and the hackers had no problem infecting it with malware, which could lead to data theft, tracking and spam adverts.

They hit the device with Flubot malware, disguised as a DHL delivery text, and within ten seconds the phone owner’s data, which could include banking and financial information, credit card details and passwords from SMS messages, was being sent over the internet. The attack would have been better blocked or detected by a device that was still receiving security updates.

Although Amazon’s Ring effectively launched the smart doorbells market, Google’s Nest wasn’t too far behind with the Nest Hello. Despite being heavily marketed at its launch, the Google Nest Hello has since been surpassed by a newer version, and now the older model is developing security issues. The hackers were able to exploit a denial-of-service (DoS) attack, which is a way to spam the device with requests so that it goes offline. An attacker could use this to stop the doorbell from recording if they wanted to approach a home.

Google said the issue with the Nest Hello had now been fixed.

Following its release in 2017, Amazon’s Echo effectively kick-started the smart speaker market. The hackers looked at a first-generation Amazon Echo smart speaker, believed by Which? to have lost security support in autumn 2021. Using a pre-existing vulnerability, researchers were able to exploit a physical attack giving remote control over the device. From here, an attacker could steal user data and even stream the live microphone, all without the user knowing.

Which? has previously revealed problems with old internet routers that are no longer supported, but still being used in people’s homes. This includes the Virgin Media Super Hub 2. So, it was not surprising that the hackers made light work of compromising the router and discovering a way to retrieve password information. From here, they could access the home’s wifi, monitor what the householders were surfing and mount attacks on other connected devices.

Any Virgin customers still using the Super Hub 2 should request an upgrade. Virgin told Which? in the past that customers could request a new router for free through its app or, if concerned, they should contact customer services.

The Liv Cam baby monitor stopped being sold by popular baby products brand, Summer Infant, in early 2020 but it can still be found on second-hand online marketplaces. The app was last updated in September 2016 and the researchers were able to retrieve the camera’s password and access the video and the audio feed. This product uses an open wifi network, meaning it would be possible for a neighbour to snoop on the baby monitor, or even talk to the child.

Other issues included a Wemo Insight smart plug that could be taken over by an attacker to control whatever was plugged into it.

Wemo said: “Wemo is designed to provide compatibility and seamless interoperability with a variety of applications and smart home systems, while being secure from unauthorised remote access. For many reasons, it is important that consumers take precautions to guard against potential network breaches or attacks of their home network such as using unique passwords, using a secure router, keeping firmware updated on all devices, just to name a few. Furthermore, as Wemo doubles down on Thread, HomeKit and soon-to-come Matter secure platforms, we are already evolving our smart-home portfolio to leverage the latest security technologies.”

A Philips 32PHS6605 smart TV was bought new, and supposedly still supported with updates. The researchers found it could be hacked using an easily guessable default password. This means anyone within range could connect to the TV to access information on the user or could even put an image on the screen pretending to be from Netflix and pointing to a phishing URL where the homeowner is encouraged to re-enter their account or payment details.

An HP Deskjet 2720e printer was found to have some minor issues that pose a relatively low risk to the user. HP said: “To protect against continually evolving security risks, HP recommends customers set strong, unique passwords and use auto firmware updates to best secure their devices.”

Which? also shared its findings with Amazon and Philips, but neither had supplied a comment by the time of publication. Which? did not contact Samsung and Summer Infant for comment as their devices are confirmed to be out of their official support window.