The consumer champion found more than 1,800 smart tech products available for sale, including smart doorbells, wireless cameras, alarms and tablets, on AliExpress, eBay and Amazon Marketplace. Many use apps with inadequate security protection and could leave users exposed to hackers or infringement of their data privacy.

Which? found it difficult to trace the firms behind these white-label products. Many are based in Shenzhen or Hangzhou – two major electronics markets in China – and in most cases have limited clear contact details for consumers to report problems to and get vulnerabilities fixed.

Which? found 1,727 different products – including products that were unbranded, from little-known brands or clones of legitimate items – sold on online marketplaces and all operated via just four apps, Aiwit, CamHi, CloudEdge and Smart Life.

Working with security experts, 6point6 and NCC Group, Which? found that all these apps had potential security issues that could make them easy prey for hackers or put users’ privacy at risk.

Based on reported figures and available data, Which? believes that hundreds of thousands of these devices have been sold and could be in use in homes.

Password security

Password security was a widespread problem across the apps. By enabling weak default or user-generated passwords these apps potentially put users at risk of hackers finding the exact location of their home and targeting other more valuable smart devices linked to their home broadband network.

If exploited, it could even allow the hacker to view live footage on a smart doorbell or a wireless camera.

Privacy protection

As well as weak passwords, other issues uncovered included the sending of unencrypted data transfer and, in the case of Smart Life, a vague privacy policy requiring clarification.

While there are no laws currently mandating a certain level of security and privacy protection in smart products, some of the flaws Which? found would be made illegal under new legislation currently being planned by the UK government.

Contacting developers

Which?’s researchers were particularly concerned about how difficult it was to report vulnerabilities to the companies behind the apps. Apart from with Aiwit, Which? had to do extensive research to find the original app developer who could fix the problems it found.

Out of the four apps, only the Smart Life one seemed to have a clear disclosure policy – and that was only after Which? eventually tracked down its actual developer Tuya, after a different developer with no web presence was listed by the app that Which? found was a Tuya subsidiary.

Cloned products

A lot of the products Which? found were clones of legitimate products or even clones of already cloned products. The consumer champion combined its in-depth testing and knowledge of generic and clone smart products with a method called ‘web scraping’.

This involves taking key terms, such as the name of an app experts know is used by a lot of smart products, and then using machines to trawl the marketplaces for listings that mention this term.

Usually with smart tech, a company has a single app that they use with their products and maintains it accordingly. The difference with clone devices is that various different products from different manufacturers and sellers will use the same app.

So, if that app has a vulnerability that is not fixed, all devices using it are also potentially vulnerable. Likewise, some apps have become so large that they are almost like operating systems. In that sense they could pose risks to consumers’ data privacy.

Established brands

Which? is warning consumers to be cautious when shopping for smart products due to potential security and privacy risks with lots of cloned or unbranded smart products.

Smart products by established brands tend to be more expensive – some cheap lookalikes can sell for around a third of the price of a Ring smart doorbell.

However, Which? believes that it’s not worth compromising your security or privacy by choosing a substandard product.

Kate Bevan, Which? Computing editor, said: “Our investigation has uncovered concerning security flaws with smart products that have flooded online marketplaces and could put consumers at risk this Black Friday.

“Which? is warning consumers to be cautious when shopping for connected tech products. Make sure you have researched the product you’re thinking of buying and choose one that doesn’t play fast and loose with security.”