Smart homes at risk of more than 12,000 hacking or scanning attacks a week, Which? reveals

A home filled with smart devices could be exposed to more than 12,000 hacking or unknown scanning attacks from across the world in a single week, a new Which? investigation has found.

UK households now have more than 10 different connected devices on average, from televisions to thermostats. While these products can bring huge benefits and convenience for consumers, as homes become more connected they can become more of a potential target for hackers.

The consumer champion set up a fake home and filled it with connected products bought from online marketplaces, ranging from smart TVs, printers and wireless security cameras, to more unusual gadgets such as Wi-Fi kettles. Researchers then connected them to the internet, exposing them to online threats and malware created by real cybercriminals.

Working with cyber security specialists NCC Group and the Global Cyber Alliance, Which? looked for unique scanning attempts - a technique used to locate online devices that exists in a legal grey area and is a potential gateway used by hackers - and hacking attempts, which are a clear breach of the Computer Misuse Act.

The research team saw 1,017 unique scans or hacking attempts coming from all around the world in just the first week of testing, with at least 66 of these being for malicious purposes.

That figure rose to 12,807 unique scans or attack attempts against the home devices in the busiest week, including 2,435 specific attempts to maliciously log into the devices with a weak default username and password. That equates to 14 attempts every hour by real hackers to infiltrate the devices.

Most of the time, the basic security protections in the devices were able to block the attacks, but that was not always the case.

The most targeted devices in the testing were an Epson printer, an ieGeek branded wireless camera and a Yale smart home security system. All three devices were purchased from Amazon.

The ieGeek camera was easily hacked and compromised, allowing a genuine suspected hacker to access the video feed and spy on the testers. This is despite Amazon awarding the camera its influential ‘Amazon’s Choice’ endorsement, with more than 8,500 ratings on its site, two thirds (68%) of which were five-star reviews. The device has now been taken down from Amazon at Which?’s request.

All real attacks against the printer and security system failed because they had reasonably strong default passwords in place. This does not mean they are unhackable, just that they have basic protections against the most common bulk attacks that plague smart homes. Most cybercriminals will not try again as it is not worth their time to attempt anything more sophisticated.

The most common reason to hack smart devices is to create botnets such as Mirai, which probe for new unsecure devices, such as routers, wireless cameras and connected printers coming online before forcing their way past weak default passwords. From there, the parasite can be used as a powerful hacking tool, such as in 2016 when it knocked Twitter, Amazon and other leading websites temporarily offline.

Based on Which?’s experiment, nearly all (97%) attacks against smart devices are to add them into the sprawling Mirai botnet.

The hacking traffic comes from around the world, but the vast majority appears to originate from the USA, India, Russia, the Netherlands and China.

As soon as testers connected the home to the internet, they were being surveilled. As well as seeing the location where scans and attacks were coming from, Which? could also track the time of the attempts.

Which? found spikes of activity during the 9-6pm period of the typical UK working day. This suggests that criminals know this is when people will be using their devices, potentially for work during the pandemic, and so they have more chance of hitting a target.

While not all scanning activity is malicious, and some is even semi-legitimate, malicious hackers use port scanning to find weak and vulnerable devices to prey upon.

Which? believes it is vital that the government pushes forward with plans for legislation to require connected devices to meet certain security standards and ensure this is backed by strong enforcement.

The Product Security and Telecommunications Infrastructure Bill, expected to be introduced in 2022, aims to regulate insecure connected products. Among its provisions is that default passwords on connected products, such as ‘admin’ or ‘123456’, will be made illegal.

The consumer champion also wants to see online marketplaces and retailers given additional obligations for ensuring the safety and security of the products sold on their sites, regardless of whether the seller is a third-party.

Kate Bevan, Which? Computing Editor, said:

“While smart home gadgets and devices can bring huge benefits to our daily lives, consumers should be aware that some of these appliances are vulnerable to hackers and offer little or no security.

“There are a number of steps people can take to better protect their home, but hackers are growing increasingly sophisticated. Proposed new government laws to tackle devices with poor security can’t come soon enough – and must be backed by strong enforcement.”

- ENDS -

Notes to editors

Which? advice:

Change default passwords: Always change any password that comes with the product you buy or already own. And if it comes with a password such as admin or another easy-to-guess variant, be very cautious about using the device as attention to security in general might be lacking. Click here for Which?’s password advice.

Enable all security: It’s worth taking some time to see what security features are available in the manual or app settings. If two-factor authentication is available, use it as it can better protect your account. Click here for Which?’s 2FA explainer.

Run updates: Always install any security updates for the product or app so you’ve got the most recent protections.

Placement: Think carefully where you place smart devices, particularly if they have a microphone or camera, but also if there is a label displaying a password or other login credentials.

Be wary of phishing: Always stay vigilant to what is sent to you via text or email, and be careful not to click on any web links that look dubious. See how to detect phishing attacks here - Which.co.uk/phishing

Take it back: If you believe a smart product you own is insecure and you’ve owned it for less than six years, you can take it back to the retailer under the Consumer Rights Act 2015.

Most targeted devices in our hackable home

Device Number of attack attempts in entire test

Epson printer 3960
ieGeek camera 3414
Yale Alarm 1364
Samsung TV 995
Philips Hue Bridge 954
Amazon Alexa devices 766
TP-Link Tapo Camera 541
Canon Printer 513
TP-Link Tapo Smart Plug 344
TP-Link Kasa Plug 64
Dyson Air Purifier 69
Ctronics Smart Doorbell 38

Research

In May and June 2021, Which? worked with security research specialists NCC Group and the Global Cyber Alliance (GCA) to set up a fake home and fill it with connected products. These ranged from everyday items such as smart TVs, printers and wireless security cameras, to more unusual gadgets such as smart blood pressure monitors, Wi-Fi kettles and even an automatic curtain opening device.

After setting all the devices up Which? exposed the home to the internet and a host of real malware and other nasties created by real cybercriminals. These weren’t simulated threats, but rather real attacks created by real cyber-criminals who hack devices all the time.

Based on industry estimates for 2020, UK households have more than 10 different connected devices on average.

Rights of reply

ieGeek

Which? first wrote about security issues with ieGeek cameras back in June 2018, when it found a flaw which meant anyone could easily access the live video feeds of more than 200,000 other ieGeek camera users, and even talk to those users via the camera’s microphone.

ieGeek fixed this issue, but Which? were back criticising the brand (among others) in separate wireless camera investigations in 2019 and 2020. Not all ieGeek cameras can be easily hacked, but Which? have found enough over the years to give it a cause for concern about the brand.

Which? has been unable to contact ieGeek, and so instead contacted Amazon about the issues found. Amazon then removed the ieGeek camera from sale on its site.

Amazon said: “We require all products offered in our store to comply with applicable laws and regulations and have developed industry-leading tools to prevent unsafe or non-compliant products from being listed in our stores.”