Smart products from the biggest tech brands easily hacked in Which? tests

Poor security and inadequate support periods on popular smart devices could be putting consumers at risk, Which? has found, after an investigation revealed just how easily hackers could access popular smart tech.

To find out how detrimental poor security can be, we purchased eight products from recognisable brands like Samsung, Amazon, Google and others, set them all up in a simulated home and invited ethical hackers to attack them. Many of these devices, most of which sold in their thousands, are quite likely to still be sitting around in our homes today. 

While some of the products we tested were still supported, the majority had been ‘abandoned’ by the manufacturer – the support period had ended. So, how risky is it to have one of these in your home?  

From a doorbell to a smartphone, our hackers ripped through the security in all of them. This opened up a range of malicious opportunities, including surveillance, data theft, and more. 

Tech tips you can trust – get our free Tech newsletter for advice, news, deals and stuff the manuals don’t tell you

How hackable is your home? Listen to the Which? Shorts podcast

Listen to our podcast as we take a look at the safety of the connected devices in your home and how likely they are to be the target of hackers.

The risks posed by insecure smart tech

From baby monitors to smart speakers, chances are your home is filled with smart devices. But without you knowing it, some of these products may have inadequate security against threats, or have even been effectively abandoned by the manufacturer. And they’re now at risk of being hacked. 

Unlike traditional products, smart devices only last as long as the software is supported, and unfortunately it’s not uncommon for a manufacturer to stop supporting a product just a few years after it’s released. 

Add to this the fact that we’ve seen time and again how security standards fail to make the grade from the off, and it’s clear that far more needs to be done to tackle this emerging issue.

In a matter of weeks, our ethical hackers found 37 vulnerabilities with the test devices, including 12 rated as high risk and one as critical. These included:

Samsung Galaxy S8 smartphone infected with malware

Smartphones work slightly differently to other devices in that they have a well-known operating system that runs on them. In the case of the Samsung Galaxy S8, this is Android. This device stopped being supported in April 2021, and we had no problem infecting it with malware, which could lead to data theft, tracking and spam adverts. 

We hit the device with Flubot malware, disguised as a DHL delivery text, and within 10 seconds the phone owner’s data, which could include banking and financial information, credit card details and passwords from SMS messages, was being sent over the internet. The attack would have been better blocked or detected by a device that was still receiving security updates.

Use the Which? phone support calculator to see how long a mobile phone will remain supported with important updates.

Hackers say hello to Google Nest video doorbell

Although Amazon’s Ring effectively launched the smart doorbells market, Google’s Nest wasn’t too far behind with the Nest Hello. Despite being heavily marketed at its launch, the Google Nest Hello has since been surpassed by a newer version, and now the older model is developing security issues. 

Our hackers were able to exploit what is known as a Denial of Service (DoS) attack, which effectively is a way to spam the device with requests so that it goes offline. An attacker could use this to stop your doorbell from recording if they want to approach your home. 

We run all video doorbells we test through stringent security checks. Read our video doorbell reviews to find a model you can rely on.

Easvesdropping on your home via an Amazon Echo

Following its UK release in 2017, Amazon’s Echo effectively kick-started the smart speaker market. The public instantly loved this gadget that could play music and podcasts, or just respond to questions put to voice assistant Alexa.

Our ethical hackers looked at a first generation Amazon Echo smart speaker, believed by Which? to have lost security support in autumn 2021. Using a pre-existing vulnerability, researchers were able to exploit a physical attack giving remote control over the device. From here, an attacker could steal user data and even stream the live microphone, all without the user knowing.

Browse our wireless and bluetooth speaker reviews to find devices with voice control that you can trust.

Out of support Virgin Media router

We’ve previously revealed problems with old internet routers that are no longer supported, but still being used in people’s homes. This includes the Virgin Media Super Hub 2. So, it’s not surprising that our hackers made light work of compromising the router and discovering a way to retrieve password information. 

From here, they could access your wi-fi, monitor what you were surfing and mount attacks on other connected devices.

Use our wireless router support tool to find out if you're still using a model that could be putting you at risk.

Baby monitor welcomes intruders

The Liv Cam baby monitor stopped being sold by popular baby products brand, Summer Infant, in early 2020 but it can still be found on second-hand online marketplaces. 

The app was last updated in September 2016 and Which?’s researchers were able to retrieve the camera’s password and access the video and the audio feed. 

This product uses an open wi-fi network, meaning it would be possible for a neighbour to snoop on the baby monitor, or even talk to the child.

We test baby monitors, and make sure any recommend pass our stringent security exam. Read our baby monitor reviews to find Best Buys for under £40.

Other issues found in smart plugs, printers and TVs

We found other issues with devices that show why security standards need improving beyond support periods. These included:

• A Wemo Insight smart plug could be taken over by an attacker to control whatever was plugged into it. This might sound innocuous, but just think how you’d feel if a plugged device started turning on and off without you doing anything. Likewise, if you had something important such as a fridge connected, turning it off could have bad consequences.
• A Philips 32PHS6605 smart TV was bought new, and supposedly still supported with updates. We found that it could be hacked using an easily guessable default password. This means anyone within range could connect to the TV to access information on the user or could even put an image on the screen pretending to be from Netflix and pointing to a phishing URL where the homeowner is encouraged to re-enter their account or payment details.
• An HP Deskjet 2720e printer was found to have some minor issues that pose a relatively low risk to the user.  

What the brands told us

HP said: 'We value the work Which? is doing to raise awareness around printer security and industry-wide design challenges. To protect against continually evolving security risks, HP recommends customers set strong, unique passwords and use auto firmware updates to best secure their devices. HP is committed to advancing our existing and future products to be the most secure in the industry.'

Google's Nest said that the issue with the Nest Hello that we disclosed to them has now been fixed. 

Wemo said: "Wemo is designed to provide compatibility and seamless interoperability with a variety of applications and smart home systems, while being secure from unauthorized remote access. For many reasons, it is important that consumers take precautions to guard against potential network breaches or attacks of their home network such as using unique passwords, using a secure router, keeping firmware updated on all devices, just to name a few. Furthermore, as Wemo doubles down on Thread, HomeKit and soon-to-come Matter secure platforms, we are already evolving our smart home portfolio to leverage the latest security technologies."

Any Virgin customers still using the Super Hub 2 should request an upgrade. Virgin has told Which? in the past that customers can request a new router for free through its app, or if concerned should contact customer services.

Which? has also shared its findings with Amazon and Philips, but neither had supplied a comment by the time of publication. Which? remains in ongoing dialogue with the companies.  

Which? did not contact Samsung and Summer Infant for comment as their devices are confirmed to be out of their official support window.   

Tech brands need to take security seriously 

While you can go to a local shop and get your iPhone screen fixed, there isn’t a repair shop in the world that could address a critical security vulnerability with the iOS software that runs on it. Only Apple can do that. So, we rely on companies to support products for as long as possible, to a high enough standard, and also to communicate this clearly to their customers. 

However, too often you are left in the dark when you buy a smart product. That's bad enough for devices like phones or tablets, but could quickly become an environmental nightmare as bulky items such as fridges and washing machines head to landfill faster than they should. 

Following years of campaigning by Which?, the government has now introduced the Product Security and Telecommunications Infrastructure (PSTI) Bill. Among various security requirements for smart products, companies will have to be transparent with you about how long they will support smart products when you buy them. 

However, we believe that this doesn't go far enough. We have to ensure that this information doesn’t prove misleading, such as vague claims of ‘lifetime updates’ or ‘up to’ three years, which actually proves to be just one.

New product security law must go further

The PSTI Bill is currently going through Parliament. The Bill will make it law that most smart products sold will have to meet a basic level of security standards, and give regulators the power to fine companies that break the rules. 

After repeatedly calling for tough rules on insecure smart devices, Which? Is broadly supportive of the PSTI Bill, but feels it could go further in three key areas;

• Online marketplaces: previous Which? research has shown that many insecure products are sold via marketplaces, listing sites and auction sites, so the legislation must effectively cover everywhere that consumers buy smart products. 
• Update support minimums:  the legislation makes it law that manufacturers must tell consumers how long they will support a smart product when they buy it. However, we feel that it is necessary to go further and mandate how long different types of products should be supported as a minimum. Consumers should be able to use products for longer, and not dispose of them earlier than necessary. 
• Consumer rights: If someone owns an insecure smart device, they should be able to argue that it is faulty and then get a refund or replacement as per their legal rights under the Consumer Rights Act 2015. This is currently not defined clearly enough, in our view, under the PSTI legislation as drafted. 

Rocio Concha, Which? Director of Policy and Advocacy, said: 'Our latest investigation highlights the real-life dangers posed by smart products from some of the biggest tech brands that are no longer adequately protected from cybercriminals. These weaknesses can lead to significant economic damage - but it is chilling to think that they can also be exploited by domestic abusers. 

'The Product Security and Telecommunications Infrastructure Bill (PSTI) is a step in the right direction. However, the government needs to ensure manufacturers and sellers are clear about exactly how long products will receive security updates – and they should go even further by introducing mandatory minimum periods for how long different types of smart products must be supported.'

How to make your smart devices more secure

While you might expect any smart device you buy to have your privacy and security top of its list of priorities, we've shown that this isn't always the case. Fortunately, there are things you can do to ensure that you minimise any risks.

1. Run a tech audit: Review all the smart devices you have connected at home and consider when you bought them, if they are still on sale, and if they have been recently updated. As we've shown a key issue with older devices is that brands essential abandon them, and cease supporting them with important updates to guard against threats. You can also use our range of free security tools to check the status of mobile phones, tablets, laptops and routers you have in the home, or are thinking of buying.
2. Take security measures: For all still supported devices, make sure they are updated to the latest software. If a password is used, ensure it is a strong one that you set yourself. If you can add on two-factor authentication, make sure you do so. 
3. Time to upgrade: If a device you own is no longer supported, you should look to upgrade it when you can. It will be a wrench to ditch a product that is still in working order, but it is just not worth taking the risk of it being exploited by a malicious hacker or scammer.   
4. Legal rights: If you have a device that’s less than six years old and no longer supported, you could try to argue that you deserve a refund or replacement. Currently, security is not well defined in law, but try contacting the retailer to see if you can make the case that your product is no longer fit for purpose or of satisfactory quality.