/ Technology

Has one of your devices been hacked?

Security flaws could leave some smart devices vulnerable to hackers – has it ever happened to you? We’re looking to speak to people who’ve been affected.

Last month we revealed that millions of people in the UK could be at risk of using routers with security flaws that could leave them vulnerable to hackers. This is because many of those devices are more than five years old and are no longer supported by firmware updates.

Our investigations in the past have shown that vulnerabilities can be exploited, which could then be used in malicious ways.

Have you ever been hacked?

Has your phone, laptop, router, doorbell or other smart product been behaving strangely, such as frequently losing access to your wi-fi, running very hot or locking you out of access?

Have you been locked out of your online accounts and/or seen your home broadband slow to a crawl? Or even have you heard a stranger’s voice over your wireless camera or baby monitor?

If any of these things sound familiar, we’d be interested in speaking to you – we’re looking to chat with anyone who believes that their smart devices may have potentially been hacked.

You can get in touch with your story in the comments.

Alternatively, if you’d prefer to share what happened in confidence, you can email the Which? Conversation team on:

conversation.comments@which.co.uk

Comments

I am concerned by the proliferation of smart devices. I am looking to replace a dishwasher and was disappointed to discover that most of the models of one brand have smart features that would allow me to switch them on using a smartphone or order dishwasher tablets from Amazon. I am happy to press the on button when required and buy dishwasher tablets from a supermarket, thank you. I wonder how secure a smart dishwasher would be in ten years’ time.

Perhaps Which? reviews of smart products could include brief information about the potential risks and a link for more detail.

Would the smart dishwasher app tell you whether the salt or rinse aid needs refilling before switching on and doing that for you?

Smart functions are making people useless.

My dumb dishwasher has a couple of red indicator lights on the front labelled “rinse aid” and “salt”. I have to read the relevant one, get liquid or granules from the cupboard and refill the containers myself to get those lights to go out. If only I had a smart butler………

I suppose it’s impossible to get a dishwasher without the smart features now; it’s in the price [= more profit].

A friend of mine recently had a futuristic novel published about humanoid robots, artificial intelligence, and the potential consequences for human humans after being relieved of all routine functions. The prospect is not appealing.

I assume that there is no need to make use of smart features in home appliances and other products, so there will be no risk of security problems. Nevertheless, if the user puts their new machine online and discontinues use of the smart features when the novelty wears off they could be at risk, possibly years later.

Steve B says:
16 June 2021

If only the Smart dishwasher could tell my family to put dishes inside rather than leave them by the dishwasher.. or even better to load itself

Phil says:
16 June 2021

Or alert you if non-dishwasher safe items had been placed inside.

I suddenly lost all the apps on my Smart Samsung TV again at the weekend. This is not the first time this has happened. The last time all attempts to restore it failed, but after a few months it suddenly returned. Fortunately I can still receive YouTube on the iPad. The rest, I don’t really miss.

After reading all these comments it brings me to the conclusion that we MUST still be allowed the option of buying appliances WITHOUT so-called “smart” features, which are only really needed for people who are too lazy to carry out basic everyday tasks, though I suppose they could possibly assist some disabled and elderly folk in some ways. And anyway we don’t all use “smart” phones and we don’t all want them, I’ve never had a smart phone and don’t want one, but I can’t help noticing how the manufacturers are trying to persuade us all to buy one by fitting only really poor cameras on the more basic models which I furiously resent as I’ve had basic models in the past which had great cameras but I can’t find one now. And what about so-called “smart” meters, something we won’t have any option about by about 2024 as the more basic meters are no longer being made. Does anyone know if the smart meters can be hacked and cut off your power or your gas for instance. I know that smart electric meters have a relay inside which can be used to cut off your power, and therefore presumably smart gas meters will have a similar feature with a solenoid valve or something similar that can be controlled remotely, which could cause an explosion if it was feeding an older gas appliance which doesn’t have a thermocouple safety device fitted and the gas was cut off for a while and then restored later. This is where the smart tech security risk gets really serious and we need some serious answers asap. Personally I think smart meters should NOT be made compulsory but we should continue to be allowed the option of keeping more basic meters which are totally hack proof, this is especially important for people who are elderly and/or seriously disabled. All this so-called “smart” stuff is all about convenience, something which all too often has too high a price and it’s all too often the most vulnerable in our society that end up suffering as a result, which is why the government should NOT make such things as smart meters compulsory.

There is no obligation to have smart meters fitted, though I am not aware that this is made clear or even mentioned in advertising.

The EU placed an obligation on the UK (and others) to have smart meters installed. The UK could be fined if they do not meet targets so will encourage users to have them. But they are not compulsory. I have no objection to them as a device, just the spurious marketing that they would save us money; instead the rollout costs over £11bn, around £400 each household, that will never be recouped from savings. However, they will help grid planning, essential for the future, particularly as we go more electric.

@crusader, you are right about remote control of your electricity smart meter, I believe. This can be used to selectively shed load when there is a supply problem and leave those who are very dependent upon electricity – medical appliances, the vulnerable for example – still connected. Whether they can be hacked? Maybe someone can tell us.

I would imagine – hope – the gas supply cannot be controlled remotely for the reasons you give.

Phil says:
16 June 2021

” The UK could be fined if they do not meet targets ” Despite Brexit?

It should be possible to disable the smart features on any appliance but the whole load shedding nonsense has to be stopped. We need more generating capacity and storage so it won’t be necessary. The ability to turn off appliances or an individual supply remotely has inspired a dangerous idea from the right wing ‘think tank’ the IEA. They argue that an uninterrupted power supply is a ‘premium product’ for which consumers should pay more. In the event of load shedding only those not paying the premium price will have their supply cut off.

Smart meters are a big con.

Phil, no, but this EU requirement drove the smart meter installation programme. They cannot fine us now (I hope). Would we have taken on smart meters anyway? Probably, but maybe sorted out the protocols first rather than having to rush into it and having to adapt or replace the first devices that could not communicate with all providers. But who knows……

“Last month we revealed that millions of people in the UK could be at risk of using routers with security flaws that could leave them vulnerable to hackers.”

Given the apparent risk to millions, it would be great to hear (at least roughly) how many have actually been affected.

I often wonder if, whilst real, all these security risks are greatly exaggerated by those who stand to profit from risk aversion measures or from journalism promoting the latter.

Hi, the team will be publishing the data on the scale of the attacks in an upcoming investigation (and they’re keen to speak with as many affected people as they can before then). It’s right that any risks/flaws found are exposed as early as possible in order to prevent anyone from falling victim in the fist instance. We think ISPs should be far more upfront about how long routers will be receiving firmware and security updates, and they should actively upgrade customers who might be at risk.

Thanks Chirag,

I think most ISP’s just issue a free router at the start of a broadband contract and then take no proactive steps to update or replace them once they are out of software maintenance.

Hence, moving suppliers every few years can also convey the benefit of getting an updated router “for free”.

Most of the old routers that I have do just seem to keep on working with no obvious problems, which is why I would like to learn more about the real nature of the risks from out of support routers.

Last time I looked more deeply into this, I think I discovered that much of the risk was concentrated on a few particular models, as set up and configured by certain ISP’s. Also, when I have tried to install 3rd party firmware, I’ve usually found that none of my routers were compatible with any of the released and supported software. So it may be that a given hack can target only a small proportion (e.g. 0.1%) of routers, in which case that can be a useful yield for the hacker, but it won’t affect 999 out of 1000 consumers.

Phil says:
16 June 2021

Your ISPs router will be gathering data about your browsing. Purely for market research purposes of course…

Better to bin it and buy your own.

Surely my ISP can monitor my browsing with or without me using their router…

Phil says:
16 June 2021

Possibly but when my ISP provided router packed up I replaced it with a third party one and got a letter urging me to replace it with the new one they sent me. They know I’m not using their router and must be getting some useful information from them or why are they keen to get me using it?

I’ve never had any of that with PlusNet. Which ISP do you use Phil?

Phil says:
16 June 2021

EE

Thanks. It does also occur to me that their customer support staff may find it much easier to support users on standard company supplied routers.

Or, as you suggest, those may come with company backdoor logins and spyware.

Phil says:
16 June 2021

I think that’s very much a given but the one they sent me, BrightBox, had not long been rated as one of the worst for security.

Em says:
23 July 2021

Of course, it might not be hackers. Excerpt from a Amazon US review for a Wi-Fi enabled Honeywell thermostat. Quoted temperatures are in Fahrenheit:

The device works flawlessly. You can adjust the temp from anywhere you have a Wi-Fi or cellular signal. Little did I know that my ex had found someone that had a bit more money than I did and decided to make other travel plans. Those plans included her no longer being my wife and finding a new travel partner (Carl, a banker). She took the house, the dog and a good chunk of my 401k, but didn’t mess with the wireless access point or the Wi-Fi enabled Honeywell thermostat.

Since this past Ohio winter has been so cold I’ve been messing with the temp while the new love birds are sleeping. Doesn’t everyone want to wake up at 7 AM to a 40 degree house? When they are away on their weekend getaways, I crank the heat up to 80 degrees and back down to 40 before they arrive home. I can only imagine what their electricity bills might be. It makes me smile. I know this won’t last forever, but I can’t help but smile every time I log in and see that it still works. I also can’t wait for warmer weather when I can crank the heat up to 80 degrees while the love birds are sleeping. After all, who doesn’t want to wake up to an 80 degree home in the middle of June?

I’m sure a lot of us know how this feels in the current heatwave.

Richard Russell says:
18 September 2021

In October’s Which? this question was asked: “with regards to hacked cameras, are those cameras open to the internet through an open port on the router?”. I’ve often wondered that too. Yet the reply in the magazine does not address this question, referring only to devices having “weak default passwords”. But if the device cannot be seen from the internet (WAN) because there is no port open on the router to provide access to it, that shouldn’t matter. The question deserves a proper answer.