From a doorbell to a wi-fi router and a mobile phone, smart products are easy targets for hackers, new research from consumer group Which? has found.
In most cases, Which? tested devices that no longer receive software security updates, leaving cybercriminals free to steal data.
A Samsung (005930.KS) Galaxy S8 Android smartphone, which stopped being supported with security updates in April 2021, was infected with malware which could lead to data theft, tracking and spam adverts.
Researchers infected it with Flubot malware, disguised as a DHL delivery text, that within 10 seconds leads to the phone owner’s data, which could include banking and financial information, credit card details and passwords from SMS messages, being sent all over the internet.
On a Google (GOOGL) Nest Hello video doorbell, hackers were able to spam the device with requests so that it was knocked offline. An attacker could use this to stop the user’s doorbell from recording if they wanted to approach the owner’s home.
The Liv Cam baby monitor stopped being sold by popular baby products brand, Summer Infant (SUMR), in early 2020 but it can still be found on second-hand online marketplaces.
The app was last updated in September 2016 and Which?’s researchers were able to retrieve the camera’s password and access the video and the audio feed. This product uses an open wi-fi network, meaning it would be possible for a neighbour to snoop on the baby monitor, or even talk to the child.
Which? is calling on the government to set out minimum periods of time smart products must receive vital security support for. This would make smart products last longer as manufacturers would fix vulnerabilities with them over a longer period of time.
Rocio Concha, Which? director of policy and advocacy, said: “Our latest investigation highlights the real-life dangers posed by smart products from some of the biggest tech brands that are no longer adequately protected from cybercriminals.
“These weaknesses can lead to significant economic damage — but it is chilling to think that they can also be exploited by domestic abusers.
“The Product Security and Telecommunications Infrastructure Bill (PSTI) is a step in the right direction. However, the government needs to ensure manufacturers and sellers are clear about exactly how long products will receive security updates — and they should go even further by introducing mandatory minimum periods for how long different types of smart products must be supported.”
The government’s PSTI Bill is currently making its way through parliament. Among various security requirements for smart products, companies will have to be transparent about how long they will support smart products when consumers buy from them.
Which? also found problems with products that are still meant to be receiving updates.
A Philips TV (PHIA.SG), which is supposed to still be supported with updates, was hacked using an easily guessable default password.
Which? found issues with an HP Deskjet (HPE) inkjet printer and with a Wemo smart plug, both of which are believed to still be receiving updates.
In total, Which? found 37 vulnerabilities across the eight test devices, including 12 rated as high risk and one rated as critical.
Which? shared its findings with Amazon (AMZN), Google, Philips and Wemo, but none had supplied a comment by the time of publication. The consumer body did not contact Samsung and Summer Infant for comment as their devices are out of the official support window.