Home is where the hack is?

Smart products purchased from online marketplaces could present security and privacy risks.

Smart products, such as doorbells, wireless cameras and alarms, have been increasingly popular purchases for consumers in recent years. The products can bring a range of efficiencies into the home, but a recent investigation from independent UK consumer body, Which?, shows that they could also present security and privacy risks.

Working closely with Which?, we recently assessed the safety and security of smart products that are sold across popular online marketplaces including AliExpress, Amazon Marketplace and eBay. Which? identified hundreds of different products that were supported by just four applications (Aiwit, CamHi, CloudEdge and Smart Life), and we found several potential security flaws within those applications that could leave users vulnerable to hackers or expose their personal data.

Which? YouTube video featuring Guy Morley from NCC Group talking about the key highlights

Password security

Smart products often come with weak ‘out-of-the-box’ passwords or enable users to set simple passwords themselves, and this was true across the apps that we investigated. However, hackers can exploit these passwords to compromise the device and others that are connected to the same broadband network. In some cases, they can even identify the user’s location and watch live footage of their home through video-enabled products such as smart doorbells, which presents obvious security and privacy risks.

Insecure data transfer

Encryption makes users’ data more secure when transferring it to other smart devices or outside of the user’s home network. Unfortunately, the apps that we investigated enabled unencrypted data transfers and used unclear privacy policies that make it very difficult to establish the ways in which users’ data is being shared. Some of these lax security measures will be made illegal under the UK government’s forthcoming Product Security and Telecommunications Infrastructure (PSTI) Bill, but they remain a cause for concern ahead of busy shopping periods such as Black Friday and Christmas.

Vulnerability reporting

Responsible disclosure of vulnerabilities is one of the most effective ways to give manufacturers the information they need to fix security flaws and protect users. However, many of the apps that we tested did not clearly present contact details for this purpose. Of all the apps, Aiwit was the only one which didn’t require extensive research to find the original app developer. Smart Life was the only app that appeared to have a clear disclosure policy, but that was only made apparent when Which? sourced its actual developer, Tuya, rather than the developer with no web presence that had been listed on the app.

Unsupported devices

Smart devices that are no longer supported by their manufacturer or have not received regular security updates are targeted by hackers as a route to compromising other devices. Our investigation found more than a hundred unsupported devices for sale on AliExpress and eBay, some of which are estimated to have last received a security update more than seven years ago. Many of the devices are marketed at children, making this finding particularly concerning for consumers.

Commenting on the research, Matt Lewis, Commercial Research Director at NCC Group, said: “Our findings show that consumers should exercise caution when purchasing smart products from online marketplaces, particularly ahead of busy shopping events like Black Friday and Christmas. It’s encouraging that the UK government is planning to strengthen the safety and security of smart products with new legislation, and we expect other countries to implement similar laws to protect consumers in the new future.

“In the meantime, we’d encourage smart device manufacturers to prepare for this legislation today by building security into the manufacturing process from the start. Our findings show that mandating strong passwords, encrypted data transfer, regular security updates and clear disclosure policies can go a long way to protecting a company’s reputation and enhancing trust with consumers.”

What should consumers do?

• Be cautious of unbranded or unknown smart products: A recognisable brand doesn’t always mean stronger security, but our investigation found thousands of products that didn’t even have a brand name. This makes it possible that neither the buyer or seller knows who made the product, making it harder to establish whether they are secure and potentially exposing consumers to security risks.
  
  
• Check for cloned devices: Often, different products will look almost identical to each other on online marketplaces, indicating that they might be cloned devices. These products can be sold as different items but use the same app, so run generic searches such as ‘wireless cameras’ and try to avoid those that look identical to others.
  
  
• Look beyond product ratings and scores: Some manufacturers incentivise fake positive reviews of their products, so be sure to read negative user reviews for signs of problems with security, safety and functionality.
  
  
• Research the app behind the product: You can find out what app a smart product is using by typing Ctrl + F and ‘app’ on the product listing or through desk research. Then you can find out who made the app and conduct further research into their security credentials by searching for it on app stores.
  
  

Advice to manufacturers

Manufacturers should prepare for incoming legislation around tighter IoT security by adhering to recognised security standards such as those laid out by the ioXt Alliance, the Global Standard for IoT Security. These include:

• No universal passwords: The product should not have a universal password; unique security credentials will be required for operation.
• Secured Interfaces: All product interfaces should be appropriately secured.
• Proven Cryptography: Product security should use strong, proven, updatable cryptography using open, peer-reviewed methods and algorithms.
• Security by Default: Product security should be appropriately enabled by default.
• Verified Software: The product should only support signed software updates.
• Automatic Security Updates: The manufacturer should apply timely security updates.
• Vulnerability Reporting Program: The manufacturer should implement a vulnerability reporting program, which will be addressed in a timely manner.
• Security Expiration Date: The manufacturer should be transparent about the period of time that security updates will be provided.

You can read the Which? article here.