Matt Lewis, with NCC Group, talks to Threatpost about a slew of security and privacy issues found in smart doorbells that are being sold on Amazon and eBay.
Researchers have found serious security and privacy in 11 different smart doorbells, distributed via online marketplaces like Amazon and eBay, which could be exploited by attackers to physically switch off the devices.
Smart doorbells, which connect to a smartphone and alert users when someone approaches their home, along with video footage, have been increasingly popular over the years. Matt Lewis, research director at NCC Group, told Threatpost during this week’s Threatpost podcast episode that these smart doorbells were discovered to have a slew of issues, including weak password policies, lack of data encryption and excessive collection of customer information.
Also, check out our podcast microsite, where we go beyond the headlines on the latest news.
“Our findings could cause issues for consumers and are indicative of a wider culture that favors shortcuts over security in the manufacturing process,” Lewis said. “However, we are hopeful that the much-anticipated IoT legislation will signal a watershed moment in IoT security. Until this comes into fruition, we must continue to work together to highlight the need for basic security by design principles, and educate consumers about the risks and what they can do to protect themselves.”
Researchers, in partnership with Which?, looked at smart doorbells from Victure (smart video doorbell camera for 90 Euro); Qihoo 360 (360 D819 smart video doorbell, for 87 Euro); Accfly (wireless video doorbell for 51 Euro).
Researchers found a bevy of issues with these products. Two of the devices tested, manufactured Victure and Ctronics, had a critical vulnerability that could allow cybercriminals to steal the network password. The flaws also would allow cybercriminals to hack not only the doorbells and the router, but also any other smart devices in the home, such as a thermostat, camera or potentially even a laptop.
The Victure Smart Video Doorbell also was found to send customers’ home WiFi name and password unencrypted to servers in China.
“If stolen, this data could allow a hacker to access people’s home WiFi – enabling them to target their private data, and any other smart devices they own,” said Lewis.
A large number of the doorbells tested also used weak, default and easy-to-guess passwords, said researchers.
“It is common for less security-conscious consumers to leave the default passwords unchanged on their equipment, potentially exposing them to hackers,” Lewis said.
Researchers found that another device, bought from eBay and Amazon without any clear brand associated with it, was vulnerable to a critical exploit called KRACK. The KRACK attack, a.k.a. Key Reinstallation Attacks, discovered in 2017. The KRACK approach was an industry-wide problem in the WPA and WPA2 protocols for securing Wi-Fi that could cause complete loss of control over data.
For the smart doorbell, this vulnerability could allow an attacker to break the WPA-2 security on someone’s home WiFi and ultimately gain access to their network, said researchers. Finally, researchers said, the Qihoo 360 Smart Video Doorbell, which is sold on Amazon, was easy to physically steal. Criminals could simply detach it from the wall with a standard Sim-card ejector tool (included with all smartphones). It could then be reset and sold.
Which? tried to contact all the manufacturers, but could only find details for Accfly and Victure, who did not respond. They also failed to track down someone to contact for the other doorbells, as some had no branding at all. Instead, researchers contacted eBay and Amazon, where the doorbells were purchased. Amazon for its part removed at least seven product listings after the research was presented to the company.
“We require all products offered in our store to comply with applicable laws and regulations and have developed industry-leading tools to prevent unsafe or non-compliant products from being listed in our stores,” said Amazon in a statement.
eBay, for its part, said it continues to facilitate discussions between Which? and the smart doorbell sellers so the concerns can be addressed.
“When a product is listed that violates our safety standards, we remove the listing straight away,” said eBay in a statement. “These listings do not violate our safety standards but represent technical product issues that should be addressed with the seller or manufacturer.”
Lewis stressed that consumers can stay secure by staying away from unknown brands, and instead buying from reputable brands. In addition, researchers said, consumers should check their password always when setting up a new device, check settings to make sure that all updates run automatically, and enable two-factor authentication (2FA) if available on the device.