11/16/2021 | Press release | Distributed by Public on 11/16/2021 11:36
Smart products purchased from online marketplaces could present security and privacy risks
Smart products, such as doorbells, wireless cameras and alarms, have been increasingly popular purchases for consumers in recent years. The products can bring a range of efficiencies into the home, but a recent investigation from independent UK consumer body, Which?, shows that they could also present security and privacy risks.
Working closely with Which?, we recently assessed the safety and security of smart products that are sold across popular online marketplaces including AliExpress, Amazon Marketplace and eBay. Which? identified hundreds of different products that were supported by just four applications (Aiwit, CamHi, CloudEdge and Smart Life), and we found several potential security flaws within those applications that could leave users vulnerable to hackers or expose their personal data.
Smart products often come with weak 'out-of-the-box' passwords or enable users to set simple passwords themselves, and this was true across the apps that we investigated. However, hackers can exploit these passwords to compromise the device and others that are connected to the same broadband network. In some cases, they can even identify the user's location and watch live footage of their home through video-enabled products such as smart doorbells, which presents obvious security and privacy risks.
Insecure data transfer
Encryption makes users' data more secure when transferring it to other smart devices or outside of the user's home network. Unfortunately, the apps that we investigated enabled unencrypted data transfers and used unclear privacy policies that make it very difficult to establish the ways in which users' data is being shared. Some of these lax security measures will be made illegal under the UK government's forthcoming Product Security and Telecommunications Infrastructure (PSTI) Bill, but they remain a cause for concern ahead of busy shopping periods such as Black Friday and Christmas.
Responsible disclosure of vulnerabilities is one of the most effective ways to give manufacturers the information they need to fix security flaws and protect users. However, many of the apps that we tested did not clearly present contact details for this purpose. Of all the apps, Aiwit was the only one which didn't require extensive research to find the original app developer. Smart Life was the only app that appeared to have a clear disclosure policy, but that was only made apparent when Which? sourced its actual developer, Tuya, rather than the developer with no web presence that had been listed on the app.
Smart devices that are no longer supported by their manufacturer or have not received regular security updates are targeted by hackers as a route to compromising other devices. Our investigation found more than a hundred unsupported devices for sale on AliExpress and eBay, some of which are estimated to have last received a security update more than seven years ago. Many of the devices are marketed at children, making this finding particularly concerning for consumers.
Commenting on the research, Matt Lewis, Commercial Research Director at NCC Group, said: "Our findings show that consumers should exercise caution when purchasing smart products from online marketplaces, particularly ahead of busy shopping events like Black Friday and Christmas. It's encouraging that the UK government is planning to strengthen the safety and security of smart products with new legislation, and we expect other countries to implement similar laws to protect consumers in the new future.
"In the meantime, we'd encourage smart device manufacturers to prepare for this legislation today by building security into the manufacturing process from the start. Our findings show that mandating strong passwords, encrypted data transfer, regular security updates and clear disclosure policies can go a long way to protecting a company's reputation and enhancing trust with consumers."
What should consumers do?
Advice to manufacturers
Manufacturers should prepare for incoming legislation around tighter IoT security by adhering to recognised security standards such as those laid out by the ioXt Alliance, the Global Standard for IoT Security. These include:
You can read the Which? article here: https://www.which.co.uk/news/2021/11/hack-friday-online-marketplaces-flooded-with-insecure-smart-products/