Smart home devices from companies such as Amazon and Google can be hacked and used to crash websites, steal data and snoop on users, an investigation reveals.
Consumer group Which? has found poor security on eight smart devices, some of which are no longer supported with vital security updates due to their age.
Examples include the first generation Amazon Echo smart speaker, released in 2014, and a Virgin Media internet router from 2017.
All of the products had vulnerabilities that could leave users exposed to cybercriminals, Which? found.
Domestic abuse survivors can also be tracked and controlled by ex-partners who exploit weak security on devices including Wi-Fi routers and security cameras.
Smart home devices from companies such as Amazon and Google can be hacked and used to crash websites, steal data and snoop on users, an investigation reveals. The first generation Amazon Echo smart speaker (pictured) was released in 2014
In total, Which? found 37 vulnerabilities across the eight test devices, including 12 rated as high risk and one rated as critical.
The London-based consumer champion now says the UK government should set out minimum periods of time smart products must receive vital security support for.
‘Our latest investigation highlights the real-life dangers posed by smart products from some of the biggest tech brands that are no longer adequately protected from cybercriminals,’ said Rocio Concha, Which? director of policy and advocacy.
‘These weaknesses can lead to significant economic damage, but it is chilling to think that they can also be exploited by domestic abusers.’
For its investigation, Which? purchased eight products from different brands and set them all up in a simulated home before inviting ‘ethical hackers’ to attack them.
Ethical hackers penetrate a computer systems or networks on behalf of its owners, and with their permission, often for the purposes of research.
As well as the first generation Amazon Echo and the Google doorbell, the list included the Samsung Galaxy S8 Android smartphone, the Wemo smart plug and the Liv Cam baby monitor.
Which? selected these products because they are likely to be sitting in the homes of thousands of consumers, even though they are not newly-released.
Some of these products had been abandoned by the manufacturer within five years since their launch.
For example, the first generation Amazon Echo smart speaker lost security support in autumn 2021, Which? said.
Using a pre-existing vulnerability, researchers were able to exploit a physical attack giving remote control over Amazon’s device.
In real life, an attacker could steal user data and even stream the device’s live microphone, all without the user knowing.
Samsung Galaxy S8 Android smartphone (pictured) was easily infected with malware which could lead to data theft, tracking and spam adverts, Which? found
Using a Google Nest Hello video doorbell (pictured) hackers were able to spam the device with requests so that it was knocked offline
Meanwhile, on a Google Nest Hello video doorbell, hackers were able to spam the device with requests so that it was knocked offline.
An attacker could use this to stop the user’s doorbell from recording if they want to approach the owner’s home.
According to Google’s website, this device is being supported by security updates until 2023.
Samsung’s Galaxy S8 Android smartphone, which stopped being supported with security updates in April 2021, was easily infected with malware, which could lead to data theft, tracking and spam adverts.
Researchers infected it with Flubot malware, disguised as a DHL delivery text, that within 10 seconds leads to access to the phone owner’s data.
This could mean banking and financial information, credit card details and passwords from text messages being sent all over the internet.
The attack would have been better blocked or detected by a device that was still receiving security updates, Which? said.
Ethical hackers could also compromise the unsupported Virgin Media Super Hub 2 router, already found by Which? to be at risk back in 2017.
Gaining control of the device allows criminals to access people’s Wi-Fi, monitor what websites they were visiting and mount attacks on other connected devices.
Any Virgin customers still using the Super Hub 2 should request a new router for free through Virgin’s app or they can contact customer services.
The Liv Cam baby monitor stopped being sold by popular baby products brand, Summer Infant, in early 2020 but it can still be found on second-hand online marketplaces.
The monitor partners with an app that was last updated in September 2016.
Any Virgin customers still using the Super Hub 2 router (pictured) should request an upgrade, according to Which?
Which? found minor issues with an HP Deskjet inkjet printer, but much more serious problems with a Wemo smart plug (pictured), both of which are believed to still be receiving updates
Which? researchers were able to retrieve the camera’s password and access the video and the audio feed.
This product uses an open Wi-Fi network, meaning it would be possible for a neighbour to snoop on the baby monitor, or even talk to the child.
A Philips TV, which is supposed to still be supported with updates, could be hacked using an easily guessable default password.
Anyone within range could connect to the TV to access information on the user or could even put an image on the screen pretending to be from Netflix.
This could direct the homeowner to a phishing URL where they are encouraged to re-enter their account or payment details.
Which? found minor issues with an HP Deskjet inkjet printer, but much more serious problems with a Wemo smart plug, both of which are believed to still be receiving updates.
In response, HP said in a statement: ‘We value the work Which? is doing to raise awareness around printer security and industry-wide design challenges.
‘To protect against continually evolving security risks, HP recommends customers set strong, unique passwords and use auto firmware updates to best secure their devices.
‘HP is committed to advancing our existing and future products to be the most secure in the industry.’
Which? has shared its findings with Amazon, Google, Philips and Wemo, but none had supplied a comment by the time of publication.
The consumer group is hopeful that the government’s Product Security and Telecommunications Infrastructure (PSTI) Bill, now making its way through parliament, will make firms state clearly hoe long they will support smart products.
Which? is calling for assurances that products will be clearly labelled with exactly how long they will last, rather than vague terms like ‘up to’ five years of support, or ‘lifetime updates’.
The consumer champion also wants the government to introduce mandatory minimum periods for how long different types of smart products must be supported, which will have to differ depending on the device.