Five long years of the Hackable Home: what will end this security standstill?
Smart, digital home devices have grown in popularity but some manufacturers are selling products with no regard for safety and security. Digital video doorbells, smart speakers and connected TVs can be found in many homes offering smooth user experiences and personalized services. The bad news is they are also offering an easy target for cybercriminals who can exploit vulnerabilities to hack into the sensitive data collected by the devices, or launch a wider network attack.
For five years since 2018, Testachats has led Euroconsumers’ Hackable Home testing programme – a regular study to see how they stand up against attacks. The latest round of testing from Euroconsumers revealed yet another abundance of basic security failures within 17 smart home devices.
Despite the increased awareness of cyber risks, and growing consumer awareness of the need to keep products updated and passwords strong, the results have not improved year on year. There remains a stubborn refusal amongst some manufacturers to get serious about securing our homes and privacy against a cyber attack.
Hackable home: results of cyber testing
The research revealed over 60 vulnerabilities in 17 smart devices. These included devices such as a smart video doorbell, a smart speaker, a smart thermostat ,a robot vacuum cleaner or smart speaker.
Devices with poor security can pose a risk not only to your home network and the devices connected to it, but also to your privacy and even the security of your home.
Ten of the products were from less-expensive, lesser-known brands bought through Amazon or AliExpress. The remaining seven were from large, reputable brands that were no longer supported by the manufacturer at the time of purchase. They were no longer receiving software updates so it gave an interesting clue as to how safe products remained over time.
After extensive testing, the Euronsumers lab identified a total of 61 vulnerabilities, including 8 high-risk and 4 that rated as critical. These included:
A Mercusys MR70X wireless router bought on Amazon with a weak preconfigured password which could be cracked in a few seconds.
Another wireless router had outdated software which included known vulnerabilities and ‘Universal Plug and Play’ enabled by default, which allows networked devices to find and link to each other. The risk with a router is that if it’s compromised, the hacker can then access other devices on the network – like a security camera’s video stream.
Unbranded door locks on AliExpress that use easily-clonable badges to open front doors.
A smart video doorbell and accompanying app from Rehentronix which sends unencrypted data over the internet, making it easy to intercept
A cheap smartwatch for sale on AliExpress whose companion app is vulnerable to a ‘man in the middle’ attack, which exposes sensitive information like email address and password.
One of the most worrying issues found was a Wansview wireless outdoor camera on sale on Amazon, which had 12 vulnerabilities, 3 of which were rated as critical. A hacker could buy the camera, easily install malware on it and by doing this gain full control over the device. He could then either resell it, send it back to the store or gift it and launch various attacks e.g. in order to steal secure information or intercept video footage remotely.
While low-cost brand products typically have more and more serious vulnerabilities, our research shows that popular products from well-known brands can also pose a security risk, especially if they no longer receive software updates. Unlike traditional products, smart devices only last as long as the software is supported, and it’s not uncommon for a manufacturer to stop supporting a product several years after launch.
It was striking that the devices of the major brands were still available online. Moreover, it is very likely that many of these popular devices, most of which have been sold in large numbers, are still present in many households.
Disappointing response from smart device brands
Testachats struggled to get a satisfactory response from the manufacturers when they shared the information on higher risk security vulnerabilities. For four of the manufacturers, no contact information was even available, another four did not respond. Among the major brands, HP and TP-Link were most reactive. But even though they looked carefully into the identified issues, they gave no guarantees that all of the issues would be satisfactorily solved. For the two low-cost brands that did respond, one (Meross) made a promise to improve encryption ‘in the near future’ and one (Mercusys) made a set of proposals for improvement, but our security experts are skeptical that these will fix all of the problems identified.
This discouraging response shows just how far manufacturers need to go to take security seriously and give consumers the peace of mind they deserve throughout the lifetime of a device, and suggests the introduction of legislation is the right way to go to improve this expanding market.
However, when Amazon and AliExpress were notified by us, they took the products offline. This is in part due to the Product Safety Pilot launched with major online marketplaces and Euroconsumers last year. This is a voluntary agreement designed to speed up the removal of dangerous and insecure items from online platforms once Euroconsumers’ testing capabilities have spotted a fault.
Does the Cyber Resilience Act offer hope for secure smart homes?
Since the last Hackable Home testing round in 2021, we’ve seen the development of some key pieces of legislation designed to fortify the product ecosystem so that it is cyber-secure. The Cyber Resilience Act (CRA) may still be subject to further amendments but as it stands it mandates cybersecurity requirements for things like updates and authentication.
It also makes cybersecurity risk assessments compulsory for manufacturers but crucially, only requires independent third party conformity assessment when a product is deemed ‘critical’.
Most products in the critical category are intended for industrial use. Although consumer IoT can be used as an access point for wider attacks and can hold a lot of sensitive, personal data, the vast majority of them did not make it on to the list of critical connected products despite consumer organizations’ best efforts. This means manufacturers will have to carry out risk assessments, but can do this themselves without third party verification of conformity with security requirements.
Will the revised General Product Safety Regulation keep consumers secure?
The CRA is not the only thing that impacts on consumers’ connected products. The revised General Product Safety Regulation (GPSR) will come into effect in December 2024. This general regulation decides on a pan-EU level what makes a product safe, empowers national authorities to keep particular dangerous products off the market and sets out who is responsible for what in the supply chain.
Recognising a major uptake in connected devices since it was last revised in 2012, the GPSR re-defines a product as one that might be interconnected with other products, as opposed to standing alone, and specifies that being cybersecure is a key feature of a safe product.
Platforms get new responsibilities under the GPSR and although they fell short of what consumers groups wanted to see, there are some welcome developments. Platforms now have to establish a single point of contact so authorities can directly takedown notices or warnings to them. Dangerous products must be removed from sale immediately within two days – a significant difference from the new Digital Services Act which sets out no timeline within which illegal content must be removed. Online marketplaces will need to carry out spot checks on products.
How else can we halt the rise of the hackable home?
The new legislation coming through offers some hope that some of the loopholes that allow cyber-insecure products to be sold. However, the challenge of insecure devices making it onto the market and into homes is a multilayered one and needs the attention of everyone from manufacturers, retailers, marketplaces, market surveillance authorities, consumers and of course, legislators. Consumers deserve the convenience and ease that digital innovation offers without compromising on privacy and security.
The best way is to embed a mindset of security by design for the whole person and whole home. After all, you wouldn’t design a door that could be easily unlocked, so why design a home device that could be easily hacked?