Who? discovers an alarming number of security flaws in smart home devices
An investigation has revealed how smart home devices such as the Amazon Echo can be hacked and used to crash websites, steal data and spy on users. Consumer group Which? found a staggering 37 vulnerabilities across eight test devices, with 12 rated as top right and one as critical, reports the Mail online.
Examples include the first-generation Amazon Echo smart speaker, released in 2014, and a Virgin Media internet router from 2017, both leaving users exposed to cybercriminals. Who? found that some of the vital security updates could not be installed due to the age of the product.
“Our latest investigation highlights the real dangers posed by smart products from some of the biggest tech brands that are no longer adequately protected against cybercriminals,” said Rocio Concha, Which? Director of Policy and Advocacy. “These weaknesses can cause significant economic damage, but it’s chilling to think that they can also be exploited by domestic abusers.”
Domestic violence survivors may also be tracked and controlled by ex-partners who exploit weak security on devices, including Wi-Fi routers and security cameras. For his investigation, Which one? bought eight products from different brands and installed them all in a simulated home before inviting “ethical hackers” to attack them.
Ethical hackers enter a computer system or network on behalf of its owners and with their permission, often for research purposes. Along with the first-generation Amazon Echo and the Google Doorbell, the list included the Samsung Galaxy S8 Android smartphone, the Wemo smart plug and the Liv Cam baby monitor.
Who? have chosen these products because they are likely to be installed in the homes of thousands of consumers, even if they are not recent. Some of these products had been discontinued by the manufacturer within five years of their launch. For example, the first-generation Amazon Echo smart speaker lost security support in fall 2021, which one? said.
In response, an Amazon spokesperson said, “Privacy and security are fundamental to the design and delivery of devices, features, and experiences. We have released a fix for this issue for Echo devices. 2nd generation in 2017, and not all new Echo devices are affected by this issue.”
On a Google Nest Hello video doorbell, hackers were able to spam the device with requests, so it was taken offline. An attacker could use this to prevent the user’s doorbell from recording if they want to approach the owner’s home.
Google said this issue with the Google Nest Hello has been resolved. According to the Google website, this device is supported with security updates until beyond 2023, which is five years after its release.
Samsung’s Galaxy S8 Android smartphone, which stopped being supported by security updates in April 2021, was easily infected with malware, which could lead to data theft, tracking and spam . The researchers infected it with the Flubot malware, disguised as a DHL delivery text, which in 10 seconds led to access to the phone owner’s data.
Ethical hackers could also compromise the unsupported Virgin Media Super Hub 2 router, already found by Which? be in danger in 2017. Taking control of the device allows criminals to access people’s Wi-Fi, monitor the websites they were visiting, and launch attacks on other connected devices. Any Virgin customers still using the Super Hub 2 should request a new router free of charge via the Virgin app or they can contact customer service.
The Liv Cam baby monitor was discontinued by popular baby products brand, Summer Infant, in early 2020, but it can still be found in second-hand online marketplaces. The monitor comes with an app that was last updated in September 2016.
Who? the researchers were able to recover the camera password and access the video and audio stream. This product uses an open Wi-Fi network, which means that it would be possible for a neighbor to spy on the baby monitor, or even talk to the child.
A Philips TV, which is supposed to always be supported by updates, could be hacked using an easily guessable default password. Anyone within range could connect to the TV to access user information or could even put an image on the screen claiming to be from Netflix.
Who? found minor issues with an HP Deskjet inkjet printer, but much more serious issues with a Wemo smart plug, which are supposed to receive updates.
Who? shared its findings with Philips and Wemo, but neither had provided comment at the time of publication. The consumer group hopes that the Government’s Product Safety and Telecommunications Infrastructure (PSTI) Bill, currently going through Parliament, will encourage companies to state clearly for how long they will support products. smart.
Who? asks for assurances that products will be clearly labeled with exactly how long they will last, rather than vague terms like “up to” five years of support, or “lifetime updates”. The consumer champion also wants the government to introduce mandatory minimum periods during which different types of smart products must be supported, which will need to differ by device.
For more stories of where you live, visit InYourArea