When it comes to shopping for connected devices, consumers don’t always have access to information about what products have good cybersecurity and which don’t. That’s why Consumer Reports (CR) built a cybersecurity and privacy testing lab. The engineers in this testing lab run popular connected products through their paces to determine which ones follow good cybersecurity and privacy practices.
When CR engineers find problems, they contact the company involved to let them know what they discovered. And in several cases, these conversations have led to improvements in the products that consumers are bringing into their homes. In this blog post, we’re showcasing some of the work CR has done on this front, and providing a look at how we’re testing smart home products for privacy and security issues.
Security is an Invisible Attribute
When you buy a connected device, you are extending quite a bit of trust. For every connected camera, light bulb or appliance that you bring into your home, you’re making a bet that the company that makes it cares about your security. That they plan to support that product for a reasonable amount of time. That they will monitor for vulnerabilities in the product and then issue patches.
Because security is an invisible attribute it can be tough for consumers to determine what companies to trust. That’s why CR has been working toward building the U.S. Cyber Trust Mark, researching how well smart home companies handle security vulnerabilities, and advocating for more transparency around how long vendors plan to support those products. We also have written model legislation to require companies to disclose support windows for connected devices. But those initiatives are not legally binding yet, so there’s a lot of legal grey area around what level of security is required for IoT devices.
Behind all our work on this front is our cybersecurity and privacy testing lab. The cybersecurity and privacy testing lab conducts tests on internet connected devices to determine how seriously the manufacturers take cybersecurity. While no connected device will ever be completely secure, CR engineers assess these devices against The Digital Standard, which includes checking for how the device handles software updates, how long the company says it plans to support the product, if the product has appropriate authentication, and more.
When our engineers find a vulnerability, they write a report and share it with the manufacturer. In an ideal world, they hear back from the manufacturer with a plan to address the issue. CR engineers test the product again to ensure that the patch solved the vulnerability. The most public example of this process was covered last year when CR shared the results of an investigation into Chinese video doorbells made by Eken which had several security flaws. Our testing team discovered that the video doorbell could have allowed a hacker, stalker, or other bad actor to gain control of the doorbell and view images from the doorbell camera remotely. The vulnerabilities also leaked home IP addresses and WiFi network names. Eken released new firmware that resolved those vulnerabilities after CR reported on them.
The doorbells also lacked proper Federal Communications Commission (FCC) ID labels on their packaging and/or plastic casings, which made them illegal to sell in the U.S. The FCC eventually proposed a $734,872 fine against Eken and launched a further audit of hundreds of device certifications tied to the US designated agent that managed the certifications for Eken.
This is just one public example of a company changing its behavior because of our team’s cybersecurity testing. But this is what we do everyday. Almost all of this happens behind the scenes, but we work with companies to fix vulnerabilities constantly to make the internet a more secure place. Here are a few recent examples from our testing work.
A Security Camera Gets More Secure
Unencrypted image of CR testing lab pulled from the Aqara G5 Pro Camera’s network traffic logs
Sending camera images over insecure channels, or in an accessible format is not uncommon. Recently the CR test team discovered that Aqara, the maker of a variety of smart home hubs and devices, was sending unencrypted thumbnail images from its Aqara G5 Pro Camera over the public network.
After reaching out to Aqara, the company told the testing team that it would solve the encryption problem by updating from HTTP to HTTPs by mid October when sending data over the internet, and add AES encryption to all transmitted images by the end of October. Aqara has said it has made that update, and our testing team confirmed it was effective.
Routers Shipping Your Passwords in Plain Text
A lack of encryption for data that should be kept private is a common flaw the test team sees. In Asus’ case, the test team saw a few models of its routers send WI-FI SSIDS and passwords in plain text across the local network and the public internet. This means that a hacker could have relatively easy access to a person’s Wi-Fi password. It’s especially egregious to send passwords in plain text over the public internet, where anyone could easily intercept it.
When contacted, Asus said they would fix the problem. The initial fix involved hiding the SSID and password data using Base64 and MD5. The testing team shared that the password information was still visible. Base64 encodes text, but doesn’t encrypt it (think of it like pig latin, which can be easily deciphered if you understand the basic formula). MD5 is a deprecated hash function that is no longer considered secure against anyone trying to access the data.
We believe Asus then adopted modern encryption for this sensitive data because as of the most recent test September 30, our engineers could not see user name and password data transmitted in plain text or occluded by Base64 or MD5. Asus did not reply when asked for further comment.
We saw similar behavior in the Tenda AX3000 EX12 Mesh WiFi 6 System. In this case, the router’s app sent the system’s admin password, SSID, serial number, device IDs, and more unencrypted over the public internet. Its destination was an Ali Baba server in Singapore. The testing team also found the incorrect passwords that people tried to use to log in sent in plain text. This is especially troubling for people who might use only a few passwords or a variation on a single password for their logins, because it would be easy to pull a person’s commonly used passwords or the password format that person uses from the logs. Then an attacker could access multiple accounts.
Logs showing Tenda’s app sending unencrypted password log in attempts, passwords, SSIDs, and other data over the public internet to a server in Singapore
The test team reported their findings to Tenda in April 2024, and heard back from the company within two weeks. The test lab confirmed that the issue was fixed in July 2024. We reached out to Tenda to get any further information, but did not hear back.
These are just a few examples of our testing team doing what CR has done for nearly 90 years — independently testing products to ensure that they’re safe. This informs our advocacy and work across every field. So whether we’re pushing to keep lead out of baby food or ensuring your routers keep your passwords secret, our testing engineers are essential in making the world a little safer.
