Smart But Flawed Doorbells Cause A Ding-Dong

A smart doorbell

Smart doorbells sold for enticingly low prices on online marketplaces can be easily switched off, stolen or hacked by criminals, a Which? investigation has found.

Which? bought 11 smart doorbells, some of which looked very similar to Amazon Ring or Google Nest models, available from popular online marketplaces such as Amazon Marketplace and eBay.

Working with cyber security experts NCC Group, high-risk security issues were found among all of the doorbells, including two rated as critically vulnerable and a further nine rated as high impact.

Flaws included weak password policies, a lack of data encryption and an excessive collection of customers’ private information – all of which risk exposing sensitive data to cybercriminals.

Some of these flaws even enabled the physical theft of the doorbell or made it easy for an intruder to switch off the device.

 

 “Connected devices, like smart doorbells, bring potential benefits and convenience to our lives but also significant risks if they are poorly made and sold without any safety checks or monitoring.”

– Kate Bevan 

Computing Editor, Which?

 

 

Legislate

“Government legislation to tackle unsecure products should be introduced without delay and must be backed by an enforcement body with teeth that is able to crack down on these devices," continued Which?'s Bevan. “For now, we would urge the public to buy smart doorbells from known and trusted tech brands or installers rather than names you have never heard of before, otherwise they might find it is hackers that come calling to their home.”

 

Nickable

The Qihoo 360 Smart Video Doorbell, which was available on Amazon, was easy to steal as criminals could simply detach it from the wall with a standard Sim-card ejector tool included with all smartphones. It can then be reset and sold on.

 

Hackers

Two devices tested, by Victure and Ctronics, had a critical vulnerability that could allow cybercriminals to steal the network password and use that to hack not only the doorbells and the router but also any other smart devices in the home, such as a thermostat, camera or potentially even a laptop.

The Victure Smart Video Doorbell, which Amazon labelled the number one bestseller in ‘door viewers’ and had a review score of 4.3 out of 5 from over 1,000 ratings, was found to send customers’ home WiFi name and password unencrypted to servers in China.

If stolen, this data could allow a hacker to access people’s home WiFi – enabling them to target their private data and any other smart devices they own.

 

Removed from sale

Which? was contacted by a customer who purchased the Victure doorbell and was concerned by the findings. After the seller of the Victure doorbell declined to give a refund, the consumer champion took the case directly to Amazon.

After Which? reported its findings, Amazon removed at least seven product listings and agreed to fully refund the Victure customer.

 

Ctronics

The Ctronics product was endorsed with the Amazon’s Choice logo and looked virtually identical to the Victure. After purchasing it and sending it to NCC Group, it was found to be a near exact clone, with the same firmware and data encryption vulnerabilities.

Which? believes that both these cases are in breach of the General Data Protection Regulation and has reported them to the Information Commissioner’s Office (ICO).

 

No recording

In one case, testers found a flaw with a doorbell sold on eBay that reverts the device to a ‘pairing’ stage. This takes it offline and could enable a criminal to seize control of it to steal the doorbell or just stop it from recording while they burgle the customers’ home.

Which? reported its findings to eBay and it put Which? directly in touch with the seller of the smart doorbell, who then removed the listing.

 

KRACK

Another device, bought from eBay and Amazon without any clear brand associated with it, was vulnerable to a critical exploit called KRACK. This is a vulnerability in the WiFi authentication process that would allow an attacker to break the WPA-2 security on someone’s home WiFi and so gain access to their network.

 

Easy passwords

A large number of the doorbells tested use weak, default and easy-to-guess passwords. It is common for less security-conscious consumers to leave the default passwords unchanged on their equipment, potentially exposing them to hackers. Use of default passwords would be illegal under the new IoT legislation proposed by the UK government.

Which? wants this legislation to be backed by strong and effective enforcement and for the chosen enforcement body to ultimately have the power to suspend, permanently ban from sale or recall non-compliant products where necessary.

The consumer champion also wants to see online marketplaces and retailers taking more responsibility for the safety and security of the products sold on their sites, regardless of whether the seller is a third-party.

 

IoT legislation

Matt Lewis, research director at NCC Group, said: “Our findings could cause issues for consumers and are indicative of a wider culture that favours shortcuts over security in the manufacturing process. However, we are hopeful that the much anticipated IoT legislation will signal a watershed moment in IoT security. Until this comes into fruition, we must continue to work together to highlight the need for basic security by design principles and educate consumers about the risks and what they can do to protect themselves.”

Picture: With thanks to the NCC Group. Which? worked with the NCC Group to expertly test 11 smart doorbells for security and data privacy over September and October 2020.

 

Right of reply

Amazon told The Installer & The Fabricator: “We require all products offered in our store to comply with applicable laws and regulations and have developed industry-leading tools to prevent unsafe or non-compliant products from being listed.”

 

eBay said: “When a product is listed that violates our safety standards, we remove the listing straight away. These listings do not violate our safety standards but represent technical product issues that should be addressed with the seller or manufacturer."

Article written by Cathryn Ellis
26th November 2020

Share



Related Articles