Online marketplaces flooded with insecure smart products

From smart doorbells that could open the door to hackers, to tablets long past their use-by date, we've found 1,839 individual products listed on UK online marketplaces - Amazon, eBay and AliExpress - that are suspected to have security and privacy risks.

As insecure devices could leave you open to being targeted by hackers, it's important to do your research when shopping for smart devices.

Read on for more on our investigation, along with in-depth advice on buying, using and also returning smart products with security issues.

Smart home tech reviews - see expert and in-depth reviews of smart doorbells, wireless cameras, smart thermostats, and more

Video: how hackers target your smart home devices

Find out how you could be at risk due to insecure smart home tech.

How we found the insecure smart products

There are thousands of smart devices on sale online, so even the close to 2,000 that made up our investigation doesn't cover every product you can buy.

The situation becomes even more difficult to judge when the product doesn't have a brand attached to it. For example, in a search on eBay on a single day in October 2021 we found that there were 2,640 smart doorbells listed as 'unbranded', and 8,022 unbranded wireless cameras.

So, we instead focused on the apps that we know from previous research are used by many devices to get online.

We combined in-depth testing and knowledge of generic and clone smart products, with a method called web scraping. This involves us taking key terms, such as the name of an app, and then trawling the marketplaces for listings that mention this term.

After fully checking over the data, we can give a picture on just how many devices we think are on sale that all use the same app or characteristic, and so could have similar problems.

Tech tips you can trust-get our free Tech newsletter for advice, news, deals and stuff the manuals don't tell you

IoT apps used by thousands of devices

1,727 of the products we found, including devices that were unbranded, from little-known brands or suspected clones of legitimate items, used just four apps - Aiwit, CamHi, CloudEdge and Smart Life.

Working with security experts, 6point6 and NCC Group, we found that all these apps had potential security issues that could make them easy prey for hackers, or other issues that could put your privacy at risk.

• Password security - weak default or user-generated passwords potentially put users at risk of hackers, who could even view live footage on a smart doorbell or a wireless camera.
• Unencrypted data transfer and vague privacy policies could put your data at risk
• Vulnerability reporting - in most cases we had to do extensive research to find the original app developer who could fix the problems it found. A clear disclosure policy is going to be a key part of upcoming government legislation.
• Out of support devices - some Android tablets had not received a security update for more than seven years - updates which are crucial for defending against hackers.

The products we found were certainly popular. The identified devices had 37,129 reviews on Amazon at an average 4.1 star rating, with 15 featuring Amazon Choice labels.

Based on the data we had available, the devices found on AliExpress appeared to have sold more than 240,000 units collectively. We were unable to find sales data for eBay devices.

As many of the security and privacy issues we've found still remain active, we are not publishing any individual details on vulnerabilities. If you have one of these products, scroll to the bottom of the page for tips on how to increase your security.

Smart devices using the Cloudedge app

We've previously reported on issues with the Cloudedge app as part of our 2020 investigation into smart doorbells.

In October 2021, we found 117 devices running Cloudedge across the three major online markplaces. Our research team also found a whole host of problems with the Cloudedge app.

Although the developer is listed on Google Play as either Arenti Europe or Brian Borghardt, CloudEdge is actually operated by Meari Technologies.

We have contacted Meari about our security/privacy findings on CloudEdge but it did not respond by time of publication.

Use our smart video doorbell reviews to find a great product that you know is safe to use.

CamHi app default password risk

We found 596 products running CamHi/CamHi Pro in October 2021, with the vast majority being listed at AliExpress.

Most of the critical issues we reported about CamHi in June 2020 have been fixed by the developer, and the app now enforces a password - something that would have helped stop a CamHi camera getting hacked in our lab earlier this year.

We still have concerns about CamHi, however, and have put these again to the developer, HiChip, (Mr Frank Zhao, HiChip's founder, is listed as CamHi's developer on app stores), and its business partner, ieGeek.

HiChip has responded well to our disclosure and already moved to address many of our concerns we remain in talks with the company at time of publication.

'Thanks to the Which? team for letting us know the security risks,' a HiChip spokesperson told us.

'Many users don't change the default password of the IP camera, so we have modified our CamHi and CamHi Pro apps so that users must change the password. And we will enforce a stronger password policy in the next app version.'

HiChip has said that it will add a vulnerability disclosure policy to CamHi app store listings to make it easier for security researchers to disclose future vulnerabilities.

We test for and report any security issues in our all our wireless camera reviews.

Aiwit app security issues

Aiwit is the only app we looked at where the developer is clearly listed on app stores - Eken Technologies.

We found 76 devices running Aiwit, mostly cameras and smart doorbells, such as the model in the picture below (which looks very similar to a Ring doorbell).

Although Aiwit was running on the least devices of all the apps we assessed, we discovered a range of security and privacy concerns with the software.

Despite multiple attempts, Eken did not respond when we contacted it and so these issues remain unresolved. If you have a device that runs Aiwit, make sure you review our security advice further down this article. 

Smart Life app privacy concerns

With 938 individual products found on the three marketplaces running an app called Smart Life, this app is fast becoming an IoT platform akin to Philips Hue or Apple HomeKit.

There is a huge variety of Smart Life devices - from security cameras to water leak sensors to even smoke alarms.

While the listed developer of Smart Life on app stores is Volcano Technology, we've found that it is actually a subsidiary of Tuya, a large IoT services provider.

Tuya, which maintains the app, responded to us and fixed a password security issue in the app we found.

We have no other security concerns about the app, but have raised questions about Tuya's privacy policy and are in the process of clarifying these at time of publication. 

Old Android tablets could put you at risk

There aren't many decent Android tablets for under £100 (Amazon's cheap Fire tablet range runs a modified or 'forked' version of the operating system). So, you could be tempted to trawl the marketplaces for an older, cheaper model.

Before you buy, however, you need to consider whether the operating system is still supported with updates.

When we scraped AliExpress in October 2021, we found 25 Android tablets running an out-of-date version of Android (deemed as Android 7.0 or earlier). However, we found a lot more (87) old Android tablets when we scraped eBay.

These eBay tablets were clearly listed for sale running Android 7.0 or earlier, which Google and the tablet brands stopped supporting more than two years ago. Many tablets ran Android 4.4 KitKat, which had its last update more than seven years ago.

You might think they are mostly second-hand tablets being sold by former owners. In fact, 61 were listed as new or 'opened but never used' on eBay. Many of these tablets were also actively being marketed as for use by children.

Don't buy anything running Android 8 or earlier. We also advise caution on buying a tablet running Android 9 as it was due to lose support in October. Go for Android 10 or 11 if you can.

Use our tablets security tool to check if a tablet you own or are considering buying is still supported with updates.

What the online marketplaces told us

We contacted all the three online marketplaces about our findings.

AliExpresssaid that it appreciated us bringing this to its attention and confirmed that it is looking into the problems we found, but did not provide further comment at this time.

Amazon said: 'Safety is important to Amazon and we want customers to shop with confidence on our stores. We have proactive measures in place to prevent suspicious or non-compliant products from being listed and we monitor the products sold in our stores for product safety concerns.'

eBay told us: 'eBay encourages all members to take appropriate security precautions with any internet connected devices purchased on the marketplace, in the same way they would with their other connected devices. The items shared with us by Which? are permitted for sale on eBay and do not violate our policies.

'Our sellers must ensure their listings comply with any applicable laws, any listings on our platform that do not comply with UK regulations or that violate our policies will be removed with appropriate enforcement action taken against sellers.

'If the UK Government introduces new regulations in this area, sellers will of course have to comply with them.' 

UK government must act on online marketplaces

When it comes to products that can pose a security or privacy risk, Which? believes that more must be done to prevent them from going on sale.

We are supportive of the UK government's new Product Security and Telecommunications Infrastructure (PSTI) bill that will attempt to put in place a baseline of security for smart products.

However, considering that none of the products we found in this investigation would comply with the law, the challenge of regulating smart devices is huge. We are also concerned that the law won't go far enough.

The IoT Security Foundation recently showed that very few IoT companies have a clear vulnerabilities disclosure policy in place. But when it is hard to tell who has even made a device or the app it runs, the problems of responsible disclosure are compounded.

While the PSTI law will make it law that you must be told how long your product will get updates when you buy it, we also want manufacturers to support products for as long as possible.

There are huge benefits to buying and owning smart products. They make it easier to live our lives, whether that's controlling our heating or watching Netflix on a smart TV.

However, if a smart product isn't made with good security, it just isn't safe. And if it isn't safe, it shouldn't be on sale.

Staying safe when shopping for smart tech

Follow our tips on how to spot potentially insecure tech when shopping for new smart devices.

• Be wary of unknown or unbranded smart products: While we should not just automatically default to well-known and often expensive brands, it does matter which company has made the product you are considering. We found thousands of products available on online marketplaces with no brand name at all. Not only do you have no idea who made the doorbell or camera, but it is possible the seller doesn't know either.
• Check for lots of similar looking products: Run a search on the marketplace, such as 'wireless cameras'. Try to spot products that look nearly identical. Proceed with caution with any devices that look generic or common.
• Fake reviews: There is a big problem with fake reviews on online marketplaces. Fake customer reviews involve a company soliciting lots of positive reviews, either through established schemes or by offering incentives to people to give positive ratings to products they've bought.
• Check negative user reviews: One and two-star reviews often cite problems with security - we've seen real cases of hacking reported in some of them - but also safety issues or general problems with functionality.

What should I do if I own one of these products?

If you already have a device that runs one of the apps we've listed here, don't panic. Although hacking attacks against smart devices are on the rise, the chance of your product being compromised by malicious hackers is still relatively low.

However, there are steps you can take to increase your security.

• Change the password: Aweak password is the most common way that smart devices get hacked. Always change any default passwords on your devices and/or set up your account with a strong password. Making passwords unique and hard to guess, but also memorable, is one of the best steps you can take to increase your security.
• Run security updates: Some of the security issues we've found here have been fixed through updates by the app developer. That shows how important updates are, and how essential it is that you run them. However, some devices, such as the Android tablets we've found, are no longer being supported, so if any security issue is found, it might not get fixed, leaving you vulnerable.
• Be careful where you place the device: With any smart device that has video or audio recording functionality, think about where it is positioned. There could be privacy risks if the device is compromised, but it could also be used to target other more valuable devices (see the video report above). And if your smart device is not being used, turn it off.

What are my legal rights with smart products?

What happens if you buy or own a smart product with a security risk and want to take it back? There isn't currently a legal requirement that requires products you buy to meet a certain level of security. The PSTI will change that when it comes into force.

The Consumer Rights Act 2015 requires goods to be 'as described' and of 'satisfactory quality', which means products meeting the standard that a reasonable person would expect so that they are fit for their usual purpose. Failure to meet these requirements means you could, depending on the circumstances, have the right to ask for some or all of your money back, a repair, or replacement.

The UK government has said that the PSTI bill will eventually 'fit within this legal framework', so it's worth contacting the place where you bought the smart goods about the security issue. Depending on how long ago you bought the product, you might have to prove the case, possibly by using a report from Which? or another reputable source.

If unsuccessful, you could escalate the case to a small claims court, but you'll need to convince the judge that you have a case. Alternatively, if the product cost more than £100 and you paid by credit card you could put a claim to your card provider as Section 75 of the Consumer Credit makes the card provider jointly liable for any breaches of contract.

Find out how long your tech will last - use our free security tools to check a laptop, tablet, mobile phone or router that you own, or are looking to buy.