A hackable baby monitor, a water bottle that gives away your location and a cooker that anyone can control via WiFI - some of the vulnerable products will be on sale in the UK this Black Friday.
Security experts at Online Spy Shop rated devices for encryption and data privacy to determine individual vulnerability. Among those that fared particularly badly was a ‘smart bulb’ that can potentially tell cybercriminals when you’re asleep and a ‘zombie drone’ for which one hacker has already published a step-by-step takeover tutorial*
Of the ten vulnerable devices identified, four were aimed at children; three were marketed as ‘smart home’ devices, and two even allowed hackers to track the movements of strangers remotely.
Alarmingly, nine of the ten popular products, some of which are on sale in Argos and Currys, were found to be not properly encrypted. One retailer** even warned that the Tile Mate tracking device “can’t be disabled if it falls into the wrong hands”.
Steve Roberts, the founder of Online Spy Shop, has this advice for Black Friday shoppers looking for a bargain gadget.
“Manufacturers are always looking for ways to make simple products more interesting, and making a product ‘smart’ is a quick way to do this. But ‘smart’ can also mean ‘insecure’. When it comes to smart and connected devices, encryption is the key to security. It enables data to be shared securely and only with those who have the correct encryption key. But it’s not the only thing to consider. Password strength requirements and software updates are important too.
Five ways to spot a vulnerable device
-
No encryption: it’s sometimes difficult to know whether a device is encrypted without digging through the product specifications. So this is where brand trust and reviews can be handy. If you don’t have time to inspect the specifications, look at some reviews.
-
No requirement to update a default password: Some devices require a password but don’t prompt users to update the default password, which may be as easy to crack as ‘0000’ or ‘1234.’
-
Unclear or vague wording on the privacy policy: This document should be clear and well laid out. Be wary of any privacy policy that uses too much jargon.
-
Parental controls: These are especially important for toys and gadgets to be used by kids.
-
Security updates: Even the most robust devices can be exposed, so manufacturers should regularly issue security updates. If the device doesn’t allow this, it could be vulnerable.
Ten vulnerable devices are on sale in the UK this Black Friday
Product |
Worst case scenario |
Strong*** third party data and privacy policy |
Encryption |
Available from |
Parrot Bebop 2 drone |
Drone is easily hackable by anyone within WiFi range, meaning control of the drone can be taken over. |
❌ |
❌ |
Amazon Argos Currys |
Harry Potter Kano Coding Kit |
Nothing too worrying, although the device shares data with third parties for some unclear reasons |
❌ |
❌ |
Amazon |
Philips Hue Smart Light Kit |
Relatively easy to hack. While people may not be able to assume control of your lights, they may be able to work out when you're asleep or not |
❌ |
❌ |
Amazon and Currys |
Samsung SmartThings Outlet |
Hackers may be able to access your home device usage patterns. |
❌ |
❌ |
Amazon, Argos, Currys |
Anova Precision Sous Vide Cooker |
Because the device isn't encrypted, hackers may be able to take control over the device via WiFi and adjust temperatures and cooking times. |
❌ |
❌ |
Amazon |
Sphero Mini robot ball |
Relatively easy to hack, but there's not a lot a hacker could do with this toy, other than moving it about. |
❌ |
❓ |
Amazon and Currys |
Hidrate Spark 2.0 Water Bottle |
A hacker could potentially track the location of this water bottle, meaning people who take their bottle on runs could be followed remotely. |
❌ |
❓ |
Amazon |
Amazon Fire HD Kids Edition |
Provided parents are OK with Amazon having access to their child's browsing habits and other data, there's relatively little that can go wrong. |
❌ |
✅ |
Amazon, Argos, Currys, John Lewis, Tesco, Asda |
FREDI Baby Monitor |
This baby monitor is unencrypted, meaning hackers can potentially access the camera and microphone, enabling them to spy on a sleeping baby or listen in on family conversations. |
❓ |
❌ |
Amazon |
Tile Mate |
This product is designed to track lost items, such as phones and other valuables. However, the levels of protection are unclear. In fact, one retailer's website even warns customers that the device can't be disabled if it falls into the wrong hands. |
❌ |
❓ |
Amazon, Argos and Currys |
*https://makezine.com/projects/build-wi-fi-drone-disabler-with-raspberry-pi/
**From the Currys website: https://www.currys.co.uk/gbuk/smart-tech/smart-tech/smart-toys-and-gadgets/tile-sport-bluetooth-tracker-graphite-10168385-pdt.html
***Strong refers to a third-party policy that is clear and that doesn’t require the user to share their data arbitrarily, for example, by having it sold.