Online marketplaces flooded with illegal smart tech

Nearly 90% of smart products in a snapshot check on Amazon, eBay and Temu did not seemingly meet new legal requirements for security support transparency
Andrew LaughlinPrincipal researcher & writer

New laws are now in place to improve security standards for smart products – which among other things compel brands to inform you how long they will support products with vital updates. 

However, as we reported in June 2024, major brands were not being clear about how long products would be supported, with others ignoring their law completely. 

If you're shopping for smart tech on an online marketplace, the picture is even bleaker – we found hundreds of smart gadgets for sale through eBay, Amazon and Temu that seemingly did not come close to adhering to the law, and could end up putting your security at risk.

Find out how to pick a smart product that lasts and won't sell you short with shoddy security.

Why smart tech sold on online marketplaces could be breaking the law

Many smart products sold on online marketplaces are generic, ‘white label’ devices originating in Chinese manufacturing hubs, such as Shenzhen. As we have shown with previous investigations, they can often be littered with security flaws. 

In the first two days after the Product Security and Telecommunications Infrastructure Act 2022 (PSTI) came into force on 29 April 2024, we ran searches for ‘wireless camera’ and ‘smart doorbell’ on Amazon, eBay and Temu. We excluded second hand devices, which are not covered by the legislation, and then checked the first 50 listings presented (we could only find 32 valid smart doorbell listings on Temu).  

Based on our snapshot research, 248 out of 282 (88%) of the listings we reviewed were, in our view, non-compliant with the update policy component of PSTI. This states that all brands should have published a policy stating how long they will support the product at a minimum in a period of years with a clear end date. 

In the majority of cases this was because there was no brand attached to the product (even the few branded products had curious names such as ‘passion-fruit-4u’), and so there was no website through which to publish the update policy. We also checked for a policy on the marketplace listing. 

Temu website
  • Amazon: Products checked on Amazon had the highest compliance based on our snapshot check, although still 68 out of 100 (68%) did not meet the requirements. The compliant listings were mostly Amazon brands, such as Ring or Blink, or other mainstream names. Amazon has also started publishing software updates information on some sales listings, despite it not being required to do so under the legislation. However, we noted that some listings had the ‘Guaranteed software updates until’ specification listed as ‘‎unknown’. 
  • eBay: On eBay, 98 listings out of 100 we checked (98%) were not compliant with the update policy requirements. The two compliant devices were actually Amazon Ring doorbells being sold as new. 
  • Temu: The situation was even worse on fast-growing online marketplace Temu, where all 82 products we checked in the days after PSTI came into force did not meet the requirements. Only four out of 82 products even had a vaguely recognisable brand. 

A lot of these marketplace products appeal to budget conscious shoppers. They look like Ring or Nest devices, but cost a fraction of the price. The average price of a wireless camera on Temu at the time was just £15.50, while you could pick up a smart doorbell on eBay for just £25 on average. 

The online marketplaces 'loophole'

These smart products fall into a rather substantial loophole under the PSTI legislation. During the passage of law we expressed concern that online marketplaces were not proposed to be included in the definition of retailers, importers or distributors. This meant that they would have limited to no responsibilities to proactively take action under the legislation. 

We proposed to expand the definition of ‘distributors’ to include ‘listings platforms’, auction sites and other marketplaces. This was denied by the Government at the time, so under this legislation marketplaces are not responsible for compliance.  

Manufacturers do have a responsibility under the Act, but as the majority of the marketplace smart products are produced in China and then re-distributed by a network of sellers, it is hard to pin down who is responsible to comply. 

Even if an update policy was stated for these devices, could you really trust that it would be honoured and a critical vulnerability with your product actually fixed? 

How the marketplaces responded to our findings

In 2021, before the PSTI regulations came into force, eBay had told us: 'If the UK Government introduces new regulations in this area, sellers will of course have to comply with them' and that 'any listings on our platform that do not comply with UK regulations or that violate our policies will be removed with appropriate enforcement action taken against sellers.' 

When we presented our findings in 2024, the auction site said: 'As stated in the PSTI Act, it is the responsibility of the manufacturer of the smart product to publish a security updates policy guarantee, ensuring relevant information is available for consumers at the point of sale. eBay is a third-party marketplace that doesn’t sell, manufacture or handle goods directly, and is not responsible for the provision of this information.'

We were still able to find thousands of unbranded smart products for sale on eBay after reporting our concerns.

An Amazon spokesperson told us: 'These regulations set out the security requirements which manufacturers, distributors and importers of relevant connectable products have to comply with. Where products are found to be non-compliant, we will take action including removing products, and contacting sellers and manufacturers to request additional information.'

A Temu spokesperson said that it had conducted a ‘comprehensive review’ of smart products on its platform, and ‘any products identified as not meeting the PSTI requirements at the time of review have been removed from sale'. 

'Going forward, only sellers who submit proof of compliance with the PSTI Act will be allowed to list their smart products on Temu. We are actively working with our sellers to guide them through this process and will continue to monitor our platform to maintain compliance with the PSTI Act and all other applicable regulations.'

How to shop for smart tech on online marketplaces

The sheer volume of unbranded smart products, including brands that only appear on online marketplaces, is vast. And with the lack of an established brand making it far more difficult to adhere to these new laws, you should be extra cautious when it comes to purchasing anything that might pose a security risk to your home.

 Our tips below can help you spot potentially insecure tech when shopping for new smart devices on online marketplaces: 

  • Brand awareness: If the device you are considering has a barely known brand, or no brand at all, be cautious. While we shouldn’t automatically default to well-known and pricey brands, it does matter who made the tech you are buying.
  • Curiosity killed the copycat: Be careful with generic tech or devices that look like copycats of more popular products. Search the marketplace for terms like 'wireless cameras', and try to spot products that look nearly identical, then be cautious about buying them. 
  • Check the reviews: Fake reviews are a problem online, as they can make a product seem better than it really is. Always check the negative reviews to see if they are flagging problems - these are more likely to be from genuine customers. 

What to do if your smart tech is no longer supported

As smart products have been unregulated for so long, there will be thousands of unsupported devices in consumer homes right now - maybe even yours. But don’t panic. An unsupported smart device isn’t immediately going to get hacked or stop working. However, these risks increase as soon as that support is removed. 

First, check what smart devices you have at home, and try to find out how long it’ll remain supported. Visit which.co.uk/updates to see what we know about support policies, or check our reviews. Some brands let you search on their websites, or try and contact the brand itself for clarity – the more customers who start asking these questions, the more seriously they should take the issue..

With any unsupported device, are there ways to use it more safely? A smart TV could be ‘upgraded’ by purchasing a new smart TV stick. A smart appliance could be disconnected from your wi-fi and still used the traditional way. For some devices, the only choice might be to upgrade.

We all need to take this seriously, though, as the smart home will eventually become the next frontline of fraud and cybercrime.

News, deals and stuff the manuals don't tell you. Sign up for our Tech newsletter, it's free monthly.

More on this

Related articles