News, Culture & Society

Black Friday scam products could lead to cyber attacks, report finds

Thousands of cheap electronics being sold online on Black Friday could leave us exposed to cyber criminals, a new report shows. 

Consumer group Which? is warning of a flood of smart products sold on online marketplaces, including Amazon, eBay and AliExpress, in the run-up to the annual sales event, which falls on November 26 this year.

Which? found more than 1,800 smart tech products for sale that use apps with ‘inadequate security protection’, which could leave users exposed to hackers or ‘infringement of their data privacy’.  

Offending products – which include smart doorbells, wireless cameras, alarms and tablets – tend to be cheap imitations of reputable brands. 

Smart products by established brands tend to be more expensive – for example, some cheap doorbells sell for around a third of the price of a Ring smart doorbell – but Which? claims they’re still not worth their pricetag due to security risks. 

Some of the flaws Which? found would be made illegal under new legislation currently being planned by the UK government. 

Spot the difference: An Aiwit doorbell (£43, left) is similar in appearance to the one made by Amazon-owned industry leader Ring (£178, right)

WHERE ARE THEY BEING SOLD?  

Which? found more than 1,800 smart tech products available for sale that use apps with ‘inadequate security protection’.

These were being sold on 

AliExpress – 1,461 

eBay – 288 

Amazon Marketplace – 90

‘Our investigation has uncovered concerning security flaws with smart products that have flooded online marketplaces and could put consumers at risk this Black Friday,’ said Kate Bevan, computing editor at Which?

‘Which? is warning consumers to be cautious when shopping for connected tech products. 

‘Make sure you have researched the product you’re thinking of buying and choose one that doesn’t play fast and loose with security.’ 

Which? found it is difficult to trace the firms behind these white-label products, although they were often found to be based in Shenzhen or Hangzhou – two major electronics markets in China.

In most cases, these firms have little in the way of ‘clear contact details’ for consumers to report problems.

Which? found 1,727 different products – including products that were unbranded, from little-known brands or clones of legitimate items – that were sold on online marketplaces and all operated via just four apps. 

Pictured, an outdoor smart security camera from China-based brand COOAU that works with CouldEdge app

Pictured, an outdoor smart security camera from China-based brand COOAU that works with CouldEdge app

‘CLONED’ PRODUCTS 

A lot of the products Which? found are clones of legitimate products or even clones of already cloned products. 

Usually with smart tech, a company has a single app that they use with their products and maintains it accordingly. 

The difference with clone devices is that various different products from different manufacturers and sellers will use the same app. 

So, if that app has a vulnerability that is not fixed, all devices using it are also potentially vulnerable. 

Likewise, some apps have become so large that they are almost like operating systems. In that sense they could pose risks to consumers’ data privacy.

 

All four – Aiwit, CamHi, CloudEdge and Smart Life – had potential security issues.

Apart from Aiwit, Which? had to do extensive research to find the original app developer who could fix the problems it found.  

Password security was a widespread problem across the apps, as they enabled weak default or user-generated passwords, Which? found. 

These apps therefore potentially put users at risk of hackers finding the exact location of their home and targeting other more valuable smart devices linked to their home broadband network.

If exploited, it could even allow the hacker to view live footage on a smart doorbell or a wireless camera.     

Also during its investigation, Which? found 112 out-of-support Android tablets for sale on AliExpress and eBay – some of which were marketed for children. 

Some had not received a security update for more than seven years – updates which are crucial for defending against hackers – meaning they were effectively defunct.          

A lot of the products Which? found are clones of legitimate products or even clones of already cloned products – devices that look very similar in appearance to the product of an industry leader (for example, Apple, Amazon or Google). 

Unfortunately, these clone products appear to be selling at scale, evidence suggests. 

Which? found 1,727 different products sold on online marketplaces and all operated via just four apps - Aiwit, CamHi, CloudEdge and Smart Life. Pictured is a smatr doorbell that works with the Smart Life app

Which? found 1,727 different products sold on online marketplaces and all operated via just four apps – Aiwit, CamHi, CloudEdge and Smart Life. Pictured is a smatr doorbell that works with the Smart Life app

In all, there were 37,129 reviews for products that used the four apps  – Aiwit, CamHi, CloudEdge and Smart Life – on Amazon. They had an average 4.1 star rating and some even had Amazon’s Choice labels. 

Based on the data Which? has available, the devices found on AliExpress appeared to have sold more than 240,000 units collectively. Which? was unable to find sales data for eBay devices.

Based on reported figures and available data, Which? believes that hundreds of thousands of these devices have been sold and could now be in use in homes.   

Responding to Which?’s report, eBay said the items in question ‘are permitted for sale on eBay and do not violate our policies’, nor the law.

However, this may change when the UK government’s Product Security and Telecommunications Infrastructure Bill is introduced to parliament in the coming months.

This Bill will ‘make provision about the security of public electronic communications networks and public electronic communications services’.  

‘eBay encourages all members to take appropriate security precautions with any internet connected devices purchased on the marketplace, in the same way they would with their other connected devices,’ an eBay spokesperson said. 

‘Our sellers must ensure their listings comply with any applicable laws, any listings on our platform that do not comply with UK regulations or that violate our policies will be removed with appropriate enforcement action taken against sellers. 

‘If the UK government introduces new regulations in this area, sellers will of course have to comply with them.’ 

Black Friday is an annual event on the Friday following Thanksgiving Day in the US. Many stores around the world offer highly promoted sales on Black Friday, both in store and online. Pictured, shoppers visit a Toronto mall in Canada on Black Friday, November 29, 2013

Black Friday is an annual event on the Friday following Thanksgiving Day in the US. Many stores around the world offer highly promoted sales on Black Friday, both in store and online. Pictured, shoppers visit a Toronto mall in Canada on Black Friday, November 29, 2013

Meanwhile, an Amazon spokesperson said: ‘Safety is important to Amazon and we want customers to shop with confidence on our stores. 

‘We have proactive measures in place to prevent suspicious or non-compliant products from being listed and we monitor the products sold in our stores for product safety concerns.’

AliExpress said that they appreciated Which? bringing this to their attention and confirmed that they are looking into it, but did not provide further comment. 

Which? also contacted representatives for Aiwit, CloudEdge and Smart Life, but did not receive responses by the time of publication.

HiChip, the maker of CamHi, which was found to have password issues, said: ‘Thanks to the Which? team for letting us know the security risks. 

‘Many users don’t change the default password of the IP camera, so we have modified our CamHi and CamHi Pro apps so that users must change the password. And we will enforce a stronger password policy in the next app version.’    

WHICH? TIPS ON HOW TO SPOT A DODGY SMART PRODUCT 

1. Be wary of unknown or unbranded smart products. While we should not just automatically default to well-known and often expensive brands, it does matter which company has made the product you are considering. 

Which? has found thousands of products available on online marketplaces with no brand name at all. Not only do you have no idea who made the doorbell or camera, but it is possible the seller doesn’t know either.

2. Look at the product images and description. Run a search on the marketplace, such as ‘wireless cameras’. Try to spot products that look nearly identical. 

For example, most CloudEdge doorbells have a distinctive hood that’s easy to spot. Proceed with caution with any devices that look generic or common.

3. Always check the negative user reviews, not just the overall score. There is a big problem with fake reviews on online marketplaces. 

Fake customer reviews involve a company soliciting lots of positive reviews, either through established schemes or by offering incentives to people to give positive ratings to products they’ve bought. 

Always check the negative reviews, too. The one- and two-star reviews often cite problems with security – Which? has seen real cases of hacking reported in some of them – but also safety issues or general problems with functionality.

4. Check what app the smart product uses. If you see a smart product that you’re interested in, find out what mobile app it is using. 

You can do this on the product listing (type Ctrl+F and then ‘app’) or via research online. 

Once you have the app name, you can then search for it on Google Play or Apple’s App Store. These listings have information on who made the app. 

Read more at DailyMail.co.uk