Smart homes: security flaws of wireless routers, home hubs, Bluetooth toys and more exposed

Smart homes: security flaws of wireless routers, home hubs, Bluetooth toys and more exposed

A range of popular ‘smart’ devices found in homes like the Amazon Echo and CloudPets have big security flaws.

Reena Sewraz

Rights, Scams and Politics

Reena Sewraz
Updated on 23 June 2017

Hackers could access your home network and connected appliances through a range of ‘smart’ devices, new research reveals.

Consumer site Which? created a ‘hackable home’ to test the security of a range of innovative products and systems we increasingly use to make our lives simpler.

It set up 15 popular smart gadgets and appliances typically found in homes today from a wireless router to a children’s Bluetooth toy and got ethical security researchers Sure Cloud to hack them.

As well as gaining access to the home network and connected appliances, Sure Cloud researchers targeted the homeowner with surveillance and phishing attacks to gather information.

All this allowed the researchers to breach their security in as little as four days.

Check if hackers have stolen your identity with your credit report

Hackable smart gadgets

The test found eight of the 15 products were found to have at least one security flaw.

Sure Cloud was able to easily access the Virgin Media Super Hub 2 internet router.

The gadget is issued with a simple password that many people typically don’t bother to change so it was easy to infiltrate in the experiment and acted as a gateway to all connected devices within the home.

The smart toy CloudPets, which enables family and friends to send voice messages to a child via Bluetooth was also easy to hack.

Sure Cloud researchers were able to make the product play voice messages that was able to trick the Amazon Echo.

Amazon Echo, which responds to voice commands to perform certain tasks was harder to infiltrate according to researchers but, as this video shows, it still has some vulnerability when it comes to voice purchasing features. 

Voice purchasing is enabled by default on the Amazon Echo, so if you don't change or add some security to this setting someone can easily order products from your Amazon Prime account and intercept the package when it arrives. 

Wireless CCTV was also worryingly simple to takeover. The home CCTV camera system from Fred Megapix operates over the internet using a default administrator and without a password, but thousands of similar cameras also had this flaw.

Which? says this is a real privacy concern as anyone could potentially watch a live feed over the internet, with hackers even able to pan and tilt the cameras to monitor activity in a house.

Other items that had potential security risks include the TP-LINK HS100 SMART PLUG, which hackers were able to control to turn off appliances; the Logitech Harmony Hub, which doesn't require a login so can be easily taken over and used as a gateway to other devices; the Nokē Smart Padlock, which instead of a key uses Bluetooth to keep valuables safe; and the Smarter Coffee Machine, which creates an unprotected open wireless network that anyone in range can connect to.

What’s being done about the flaws?

Which? says whenever it identifies a vulnerability with a product it tests it contacts the manufacturers involved first, so all of the flaws it found in its experiment have been reported.

This has resulted in the majority taking action to update their software and security.

Virgin Media, for example, is contacting 800,000 customers and telling them to update their passwords and is also upgrading many to its more secure Super Hub 3.

A Virgin Media spokesperson said: “The security of our network and of our customers is of paramount importance to us. We continually upgrade our systems and equipment to ensure that we meet all current industry standards.

“To the extent that technology allows this to be done, we regularly support our customers through advice, firmware and software updates and offer them the chance to upgrade to a Hub 3.0 which contains additional security provisions.”

An Amazon Echo spokesperson told Which?: “You can manage your shopping settings in the Alexa app, such as turning off voice purchasing or requiring a confirmation code before every order.

"Additionally, orders placed with Alexa for physical products are eligible for free return.”

Improving safety

Which? says more action needs to be taken to close security loopholes by manufacturers. It’s calling for devices to require a unique password, use two-factor authentication, and for them to get regular security updates for software.

Alex Neill, Which? Managing Director of Home Products and Services, said: “There is no denying the huge benefits that smart-home gadgets and devices bring to our daily lives.

"However, as our investigation clearly shows, consumers should be aware that some of these appliances are vulnerable and offer little or no security.

“There are a number of steps people can take to better protect their home, but hackers are growing increasingly more sophisticated. Manufacturers need to ensure that any smart product sold is secure by design.”

How to guard against hackers

Here some simple steps to follow to safeguard your devices from hackers.

Set strong passwords – many smart devices come with generic default passwords that are easy for hackers to guess.

Update your software – keeping software or firmware updated means that the latest security is installed on the device.

Complete the set-up – all smart devices should be connected to a secure wi-fi network. Many use their own wi-fi during the set-up process which, if left unsecured, is an easy target for attackers.

Location, location – be mindful of where devices are positioned in your home. Those close to windows or behind thin doors can be more easily accessed from outside.

Check if hackers have stolen your identity with your credit report

Most Recent