As the Cyber Resilience Act develops, Euroconsumers keeps up its testing of consumer IoT with new investigations into children’s products and finds critical vulnerabilities in baby monitors, smartwatches and tablets.

Euroconsumers’ track record and expertise in testing the security of consumer home IoT through projects like the Hackable Home is continuing with a new batch of tests run on connected products aimed at babies and children.

Products like connected baby monitors and tablets and smartwatches aimed at young children are increasingly popular but many on sale lack basic security provisions.

Testing by Belgian member Test-Achats and Portuguese member Deco Proteste found that digital baby monitors that promise to give new parents security and peace of mind in fact contain serious security flaws. Wearables and tablets aimed at kids also lack the most basic protections, leaving children’s information and location wide open to hackers.

The Cyber Resilience Act must be strengthened to keep children safe

Euroconsumers has been here before, and alongside our testing regime, together with BEUC we have consistently called for the security of consumer IoT to be taken as seriously as the risks it poses.

We want to see: a stronger and more effective enforcement regime; consumers products subject to mandatory security measures; better redress for consumers; and greater accountability and responsibility for monitoring security throughout a product’s lifetime on the part of manufacturers.

A Cyber Resilience Act is in the pipeline, and even though in the latest version consumer IoT will be required to be cybersecure by design and by default, it will not be subject to stringent, third party assessments that products defined as ‘critical’ are. This leaves it up to manufacturers to verify the safety and security of their devices.

As is clearly shown in Euroconsumers’ latest round of testing, manufacturers, particularly those making inexpensive devices have a poor track record in designing basic security provisions even for the most vulnerable consumers.

Critical vulnerabilities found in smart baby monitors and other devices

The investigation tested 17 connected products aimed at babies and children and found flaws in all of them.  A total of 69 vulnerabilities were identified across the products which were then assessed for level of risk. Of these, five devices had a critical vulnerability, and seven had a medium to high severity vulnerability.

Security vulnerabilities ranged from weak password requirements to unencrypted data (on transit and on rest) or even back doors that allowed for unauthorized access to deeply personal information like an unborn baby’s heartbeat or a sleeping baby’s movements. In some cases, hackers need to physically access a device or need to be in close range to it (e.g. within WiFi distance), in others, attacks can be carried out from a distance, from anywhere in the world.

Lower security found in less familiar brands

The unbranded or less well-known branded products came out worse. Investigators found a higher number and more severe type of vulnerabilities in these than in those of big-name brands, and yet were readily available on online shopping platforms like Amazon, Wish, eBay and AliExpress.

This doesn’t guarantee that more expensive brands are 100% safe, but our labs did not find any critical vulnerabilities in these more popular and better-known brands.

Easily hackable smart baby monitors

Some of the most concerning issues were found with cheap baby monitors. Wifi-enabled monitors link up with an app that can then allow parents and carers to check on their baby via a microphone and camera feed that goes straight to your smartphone or tablet. However, the tests exposed that some baby monitors had no less than five critical vulnerabilities, meaning a malicious person could easily tap into their video stream.

These were down to insufficient access control on the cloud service used or the absence of other proper protection measures. Most worryingly, in some cases an attacker could gain access to the video stream of any given baby monitor available on the server, showing how one small access point to one device can have a much larger scale impact.

Smartwatches and tablets: connecting children to risks

Smartwatches designed especially for children before they’re old enough for a smartphone offer parents a chance to track their kids’ location and give kids options to make emergency calls and send texts to trusted contacts.

Most of those tested offered pretty good protection, but one had no protection against unwanted messages (SMS) making it possible to hack into them via a malicious text, and then track the child via GPS.

Basic security safeguards were absent from the tablet under investigation, any device that could connect via USB was automatically granted high levels of access to do things like installing spyware or stealing WiFi credentials and other sensitive data. Parental control features were also absent which should be included by design given this is a product specifically aimed at young children.

Make manufacturers and marketplaces more accountable for children’s security

All digital products should fulfill stringent security and privacy expectations to minimise the risk of harm. When these products are aimed at, or designed for children and involve cameras, microphones and the tracking of sensitive data this requirement is non-negotiable.

Yet, as the tests show, unsafe and insecure smart devices are readily available at attractive prices.

We want manufacturers to prevent the aforementioned issues from resurfacing by committing to privacy and security by design, with privacy and security-related risk assessments undertaken during the entire design process.

In addition, the marketplaces where many of these smart products are being sold should be able to be held liable for the security issues with the products they sell.

Can we rely on the Cyber Resilience Act?

The good news is that better legislation is on its way. The Cyber Resilience Act contains measures like common cybersecurity standards that we have been calling for for a long time to address the security flaws that our tests keep on detecting.

Expectations are high, and we welcome the Act but in order to really deliver the security consumers desperately need, some changes are required.

While common cybersecurity standards may help, the proposal currently under review does not designate consumer connected products as ‘critical’ and of higher risk, meaning that manufacturers will not be obliged to carry out a third-party assessment of security.

This means that as it stands, people buying popular connected products like smart security alarms, fitness trackers, baby monitors and other connected toys would have to rely on the manufacturer’s word that they met the common cybersecurity standards.

Given the prevalence of negligence and poor practice by manufacturers that we have uncovered, and the wide availability of inexpensive, connected devices on online shopping sites this loophole must be closed.

Consumer IoT exposes individuals and whole systems to harm, connected consumers deserve and need better security.