Investigation reveals device sector is ‘problem plagued’ when it comes to security bugs.
Smart doorbells, designed to allow homeowners to keep an eye on unwanted & wanted visitors, can often cause more security harm than good compared to their analogue door bolt alternatives.
‘Riddled’
Consumer-grade digital doorbells are ‘riddled’ with potential cyber-security vulnerabilities ranging from hardcoded credentials, authentication issues & devices shipping with unpatched & longstanding critical bugs.
That new assessment comes from NCC Group, which published a report last week outlining “domestic IoT nightmares.” In partnership with publication Which?, it assessed smart doorbell models made by 3 vendors Victure, Qihoo & Accfly along with white-box offerings from 3 additional doorbell makers.
Verdict?
“Overall, the issues we have seen during this research have outlined a poor approach to developing secure IoT devices. There are still devices being developed, shipped & sold with an array of issues let alone these issue being cloned into knock-off, copycat devices,” wrote NCC Group’s co-authors of the report.
The scope of the problems uncovered included undocumented features that, if known, could be exploited by hackers. Other issues found were tied to the mobile applications used to access the doorbells along with vulnerabilities in the hardware itself.
Absent
Noticeably absent from the analysis are the names of market-share leader Ring Video Doorbell & the handful other big players such as Nest, Vivint & Remo. Nevertheless, the study comes as a ‘flood’ of smart doorbells have been introduced into the consumer market feeding a robust appetite for the niche.
Smart doorbells are the leading reason for a 33% increase in smart home gadgets flooding US & European homes in 2020, according to Hub Entertainment Research. 39% of all US homes have a connected device.
Dangerous Doorbells
Models examined were Victure’s VD300, Accfly’s Smart Video Doorbell V5 & Qihoo’s 360 D819 Smart Video Doorbell. Another doorbell device identified only as “Smart WiFi Doorbell” & that used hardware from manufacture YinXx, was also examined. In addition, an unspecified “HD Wi-Fi Video Doorbell V5” model was tested.
A smart doorbell identified only as XF-IP007H, was also tested. A number of brands use “XF-IP007H” in their product names, including Extaum, Docooler & Tickas. These doorbells, as with all tested by NCC Group, are each sold at competitive prices & available through Amazon’s e-commerce website, Walmart.com & other popular online retailers.
Researchers said the majority of the devices analysed were clones of the Victure doorbell, which had a number of pre-existing security issues associated with it.
Undocumented
One issue identified in the Qihoo device was an undocumented & fully functional DNS service. “Investigation into this type of service can sometimes lead down the route of a covert DNS channel for malware delivery. We did not see anything during testing that could lead us into such a rabbit hole,” wrote researchers.
With the Victure’s doorbell an undocumented HTTP service was found running on port 80. Researchers noted the port required credentials, however those credentials could easily be extracted from “an unbranded clone of this device for sale online.”
Cloned Device
“The firmware was extracted from the cloned device to retrieve the login details by simply performing strings across the firmware. Further analysis of the device firmware revealed the API calls required to interact with the device,” researcher wrote.
Next, combing through the output logs researchers found cleartext Wi-Fi name & passwords to be used in an attack against the Victure doorbell.
Mobile App
Digital lock picking via the mobile application used to control the digital doorbells were a cinch, thanks to unencrypted communications.
“On a number of devices, HTTPS was not enforced or didn’t even exist as a communication method on a range of mobile applications such as the Victure mobile application which was found to be requesting a root certificate via a HTTP request,” researchers wrote.
A lack of encryption could allow sensitive information, such as username & passwords, to be “seen” in the data communications between mobile device & the digital lock’s backend services.
QR Codes
Another attack method discussed was the abuse of QR codes, a type of image-based barcode for quickly obtaining additional information. Many of the digital doorbells, in attempts to simplify access, allowed customers to use their phone’s camera to take a picture of a QR code, which configures the user’s app with the correct credentials.
“Some people use their smartphones to take screenshots of different things, while most modern smartphones also automatically backup photos,” researcher observed. In this situation, an adversary with access to a user’s cloud-based camera roll backup would also have access to QR codes.
“The attacker can then quickly decode the QR code & extract the plaintext BSSID & password for the Wi-Fi network instead of having to attempt a death and/or evil twin attack,” they concluded.
Hardware
Researchers pointed out that often the physical doorbell hardware was not securely mounted & could be easily removed – for tampering purposes.
“The main method for these devices to be secured was using a mounting bracket that was either glued or screwed onto a flat surface & the device sat in the mounting bracket.
It would be easy for an attacker to quickly release the doorbell from the bracket & steal the device in under 10 seconds & some of the devices had no method of notifying the user until it was too late that it was turned off, or moved,” they wrote.
Pressure Trigger
Only 1 digital doorbell used a pressure trigger that if tampered with would start an alarm. Even so, the researchers pointed out a 2.4GHz jammer could thwart any alarm then the attacker could remove the devices batteries or disable the power cable.
By disjoining the hardware, an attacker could siphon video captured by the doorbell and stored to an SD card to determine typical occupant behaviour. Also, firmware could be extracted & either be used to identify the Wi-Fi BSSID & plaintext Wi-Fi password for access a network.
Binary Analysis
“Once the firmware was obtained it was possible to analyse it using a range of binary analysis tools (Binwalk, Ghidra, even Linux tools as simple as Strings) to break down the firmware structure & discover sensitive information contained within the firmware including hardcoded credentials, IP addresses & break down the firmware to understand the firmware and its potential weaknesses,” researchers wrote.
Using this technique, NCC Group researchers determined one of the doorbell devices still had an unpatched Key Reinstallation Attacks (KRACK) vulnerability. The KRACK vulnerability, plugged in 2017, allows attackers to decrypt encrypted traffic, steal data & inject malicious code depending on the network configuration.
Victure Clones
“It can be confirmed conclusively that the majority of the devices analysed were clones of the Victure doorbell which already had a range of security issues associated with it.
There was also evidence to show that the mobile applications that were being used by multiple cloned doorbells were clones of each other as well,” researchers wrote.
Researchers concluded that the concerns were widespread & pointed to a lack of a security-by-design ethos by doorbell manufacturers. They added that, sadly digital doorbell makers were not alone & that similar issues plagued other devices such as smart plugs.
https://www.cybernewsgroup.co.uk/virtual-conference-january-2021/
