By clicking a retailer link you consent to third-party cookies that track your onward journey. This enables W? to receive an affiliate commission if you make a purchase, which supports our mission to be the UK's consumer champion.
TP-link camera security flaw discovered in Which? tests as 'IoT law' moves closer
From smart TVs to wireless cameras, we test a wide range of internet-connected products to ensure they will protect your privacy and security.
During our most recent security tests of wireless cameras, a model by TP-Link gave us sufficient cause for concern that we contacted the manufacturer. Fortunately, it was quick to roll out a fix.
The issue underlines the importance of standards to protect consumer security and privacy, and comes as the UK government publishes plans for a new law to ensure smart devices such as wireless cameras aren't vulnerable to being hacked by cybercriminals.
Wireless camera reviews - see highly rated indoor and outdoor wireless cameras that have passed our tough tests
TP-Link Tapo C200 vulnerability fixed
In May 2020, our testing flagged that the TP-Link Tapo C200 was vulnerable to an attack that could intercept data on the user.
An attacker would need to be on the same local network as the camera to exploit the vulnerability, but the hack had been around for more than five years, so there was no reason why such a big-brand camera should still be vulnerable to it.
Although the risk was not as serious as the widespread wireless camera vulnerability we reported on in June 2020, it was deemed sufficient enough for us to take action.
So, we contacted TP-Link and it created a fix, which it has now rolled out to all Tapo C200s. If you own this camera, go to the app and click on the button that updates the firmware. The rest will be taken care of automatically.
New law to tackle smart product security
There are now around 20bn smart devices in use around the world, yet only around 13% of manufacturers embed even basic cybersecurity protections, according to data from the UK government.
A new smart products industry standard was introduced in June 2020, but it's only voluntary so manufacturers don't have to adhere to it with the products they make and sell.
So, the UK government's Department for Digital, Culture, Media & Sport has now published plans to make it law that all smart products sold in the UK comply by at least three baseline requirements:
- Device passwords must be unique and not use generic and easily guessable terms, such as 'admin' and '123456'
- Manufacturers must provide a point of contact for reporting security vulnerabilities, such as we did with TP-Link
- You must be told for how long your product will receive updates (including vital security protections) when you buy it.
Bans, recalls and fines considered
The government is now consulting on its plans, which also include a range of enforcement measures for companies that flout the rules.
These potentially include:
- Temporary or permanent bans on the sale of suspected unsecure smart products that breach regulations
- Recall notices served to manufacturers or retailers selling insecure products
- Court orders to confiscate and potentially destroy stocks of dangerous smart products
- Fines for businesses selling them
Matt Warman, minister for digital infrastructure, said: 'This is a significant step forward in our plans to help make sure smart products are secure and people's privacy is protected.
'I urge organisations to respond to these proposals so we can make the UK the safest place to be online with pro-innovation regulation that inspires consumer confidence in our tech products.
'People should continue to change default passwords on their smart devices and regularly update software to help protect themselves from cybercriminals.'
Which? testing sets the security standard
Ahead of the new legislation potentially coming into force, Which? currently puts more than 30 different categories of smart products through rigorous and in-depth tests to ensure they protect your privacy and security. This includes wireless cameras, baby monitors, smart speakers and smart thermostats.
Only those with the highest standards can become Best Buys, and any devices that pose a significant risk to you and your data are labelled as Don't Buys.
Rocio Concha, director of advocacy at Which?, said: 'Which? has repeatedly exposed popular connected devices with serious security flaws that fall well short of agreed voluntary standards and leave consumers at the mercy of cybercriminals - so new laws to tackle this issue are an important step and can't come soon enough.
'Legislation, which must be backed by strong enforcement, should be introduced as soon as possible. In the meantime, retailers and online marketplaces must do more to prevent blatantly unsecure products being sold and manufacturers need to be more proactive at addressing security issues with their products.
