Researchers have found serious security & privacy issues in 11 different smart doorbells, distributed via online marketplaces like Amazon & eBay, which could be exploited by attackers to physically switch off the devices.
Smart doorbells, which connect to a smartphone & alert user when someone approaches their home, along with video footage, have been increasingly popular over the years.
Matt Lewis, Research Director at NCC Group, explained during a recent podcast that these smart doorbells were discovered to have a range of issues, including weak password policies, lack of data encryption & excessive collection of customer information.
“Our findings could cause issues for consumers & are indicative of a wider culture that favours shortcuts over security in the manufacturing process,” Lewis observed.
“However, we are hopeful that the much-anticipated IoT legislation will signal a watershed moment in IoT security. Until this comes into fruition, we must continue to work together to highlight the need for basic security by design principles & educate consumers about the risks & what they can do to protect themselves.”
Researchers, in partnership with Which?, examined smart doorbells from Victure (smart video doorbell camera for 90 Euro); Qihoo 360 (360 D819 smart video doorbell, for 87 Euro); Accfly (wireless video doorbell for 51 Euro).
Researchers discovered a number of issues with these products. 2 of the devices tested, manufactured Victure & Ctronics, had a critical vulnerability that could allow cyber-criminals to steal the network password.
The defects also would allow cyber-criminals to hack not only the doorbells & the router, but also any other smart devices in the home, such as a thermostat, camera or potentially even a laptop.
The Victure Smart Video Doorbell also was found to send customers’ home WiFi name & password unencrypted to servers in China!
“If stolen, this data could allow a hacker to access people’s home WiFi – enabling them to target their private data, & any other smart devices they own,” said Lewis.
A large number of the doorbells tested also used weak, default & easy-to-guess passwords, concluded researchers.
“It is common for less security-conscious consumers to leave the default passwords unchanged on their equipment, potentially exposing them to hackers,” Lewis described.
Researchers found that another device, bought from eBay & Amazon without any clear brand associated with it, was vulnerable to a critical exploit called KRACK.
The KRACK attack, a.k.a. Key Reinstallation Attacks, discovered in 2017. The KRACK approach was an industry-wide problem in the WPA and WPA2 protocols for securing Wi-Fi that could cause complete loss of control over data.
For the smart doorbell, this vulnerability could allow an attacker to break the WPA-2 security on someone’s home WiFi & ultimately gain access to their network, observed researchers.
Finally, researchers outlined, the Qihoo 360 Smart Video Doorbell, which is sold on Amazon, was easy to physically steal. Criminals could simply detach it from the wall with a standard Sim-card ejector tool (included with all smartphones). It could then be reset & sold.
Which? tried to contact all the manufacturers, but could only find details for Accfly and Victure, who did not respond. They also failed to track down someone to contact for the other doorbells, as some had no branding at all. Instead, researchers contacted eBay & Amazon, where the doorbells were purchased.
Amazon removed at least 7 product listings after the research was presented to the company.
“We require all products offered in our store to comply with applicable laws and regulations & have developed industry-leading tools to prevent unsafe or non-compliant products from being listed in our stores,” explained Amazon in a statement.
eBay, responded that it continues to facilitate discussions between Which? & the smart doorbell sellers so the concerns can be addressed.
“When a product is listed that violates our safety standards, we remove the listing straight away,” said eBay in a statement. “These listings do not violate our safety standards but represent technical product issues that should be addressed with the seller or manufacturer.”
Lewis stressed that consumers could stay secure by staying away from unknown brands, & instead buying from reputable brands. In addition, researchers commented, consumers should check their password always when setting up a new device, check settings to make sure that all updates run automatically & enable 2-factor authentication (2FA) if available on the device.