Smart speaker on a wooden table in a living room with a guitar in the background

A hackable baby monitor, a water bottle that gives away your location and a cooker that anyone can control via WiFI - some of the vulnerable products will be on sale in the UK this Black Friday.

Security experts at Online Spy Shop rated devices for encryption and data privacy to determine individual vulnerability. Among those that fared particularly badly was a ‘smart bulb’ that can potentially tell cybercriminals when you’re asleep and a ‘zombie drone’ for which one hacker has already published a step-by-step takeover tutorial*

Of the ten vulnerable devices identified, four were aimed at children; three were marketed as ‘smart home’ devices, and two even allowed hackers to track the movements of strangers remotely.

Curry's

Alarmingly, nine of the ten popular products, some of which are on sale in Argos and Currys, were found to be not properly encrypted. One retailer** even warned that the Tile Mate tracking device “can’t be disabled if it falls into the wrong hands”.

Steve Roberts, the founder of Online Spy Shop, has this advice for Black Friday shoppers looking for a bargain gadget.

“Manufacturers are always looking for ways to make simple products more interesting, and making a product ‘smart’ is a quick way to do this. But ‘smart’ can also mean ‘insecure’. When it comes to smart and connected devices, encryption is the key to security. It enables data to be shared securely and only with those who have the correct encryption key. But it’s not the only thing to consider. Password strength requirements and software updates are important too.

Five ways to spot a vulnerable device

  1. No encryption: it’s sometimes difficult to know whether a device is encrypted without digging through the product specifications. So this is where brand trust and reviews can be handy. If you don’t have time to inspect the specifications, look at some reviews.

  2. No requirement to update a default password: Some devices require a password but don’t prompt users to update the default password, which may be as easy to crack as ‘0000’ or ‘1234.’

  3. Unclear or vague wording on the privacy policy: This document should be clear and well laid out. Be wary of any privacy policy that uses too much jargon.

  4. Parental controls: These are especially important for toys and gadgets to be used by kids.

  5. Security updates: Even the most robust devices can be exposed, so manufacturers should regularly issue security updates. If the device doesn’t allow this, it could be vulnerable.

Ten vulnerable devices are on sale in the UK this Black Friday

Product

Worst case scenario

Strong*** third party data and privacy policy

Encryption

Available from

Parrot Bebop 2 drone

Drone is easily hackable by anyone within WiFi range, meaning control of the drone can be taken over.

Amazon

Argos

Currys

Harry Potter Kano Coding Kit

Nothing too worrying, although the device shares data with third parties for some unclear reasons

Amazon

Philips Hue Smart Light Kit

Relatively easy to hack. While people may not be able to assume control of your lights, they may be able to work out when you're asleep or not

Amazon and Currys

Samsung SmartThings Outlet

Hackers may be able to access your home device usage patterns.

Amazon, Argos, Currys

Anova Precision Sous Vide Cooker

Because the device isn't encrypted, hackers may be able to take control over the device via WiFi and adjust temperatures and cooking times.

Amazon

Sphero Mini robot ball

Relatively easy to hack, but there's not a lot a hacker could do with this toy, other than moving it about.

Amazon and Currys

Hidrate Spark 2.0 Water Bottle

A hacker could potentially track the location of this water bottle, meaning people who take their bottle on runs could be followed remotely.

Amazon

Amazon Fire HD Kids Edition

Provided parents are OK with Amazon having access to their child's browsing habits and other data, there's relatively little that can go wrong.

Amazon, Argos, Currys, John Lewis, Tesco, Asda

FREDI Baby Monitor

This baby monitor is unencrypted, meaning hackers can potentially access the camera and microphone, enabling them to spy on a sleeping baby or listen in on family conversations.

Amazon

Tile Mate

This product is designed to track lost items, such as phones and other valuables. However, the levels of protection are unclear. In fact, one retailer's website even warns customers that the device can't be disabled if it falls into the wrong hands.

Amazon, Argos and Currys

*https://makezine.com/projects/build-wi-fi-drone-disabler-with-raspberry-pi/

 

**From the Currys website: https://www.currys.co.uk/gbuk/smart-tech/smart-tech/smart-toys-and-gadgets/tile-sport-bluetooth-tracker-graphite-10168385-pdt.html

Curry's

***Strong refers to a third-party policy that is clear and that doesn’t require the user to share their data arbitrarily, for example, by having it sold.