Smart Doorbells on Amazon, eBay, Harbor Serious Security Issues
We Keep you Connected
Smart Doorbells on Amazon, eBay, Harbor Serious Security Issues
Matt Lewis, with NCC Group, talks to Threatpost about a slew of security and privacy issues found in smart doorbells that are being sold on Amazon and eBay.
Researchers have found serious security and privacy issues in 11 different smart doorbells, distributed via online marketplaces like Amazon and eBay, which could be exploited by attackers to physically switch off the devices.
Smart doorbells, which connect to a smartphone and alert users when someone approaches their home, along with video footage, have been increasingly popular over the years. Matt Lewis, research director at NCC Group, told Threatpost during this week’s Threatpost podcast episode that these smart doorbells were discovered to have a slew of issues, including weak password policies, lack of data encryption and excessive collection of customer information.
“Our findings could cause issues for consumers and are indicative of a wider culture that favors shortcuts over security in the manufacturing process,” Lewis said. “However, we are hopeful that the much-anticipated IoT legislation will signal a watershed moment in IoTsecurity. Until this comes into fruition, we must continue to work together to highlight the need for basic security by design principles, and educate consumers about the risks and what they can do to protect themselves.”
Researchers, in partnership with Which?, looked at smart doorbells from Victure (smart video doorbell camera for 90 Euro); Qihoo 360 (360 D819 smart video doorbell, for 87 Euro); Accfly (wireless video doorbell for 51 Euro)
Researchers found a bevy of issues with these products. Two of the devices tested, manufactured Victure and Ctronics, had a critical vulnerability that could allow cybercriminals to steal the network password. The flaws also would allow cybercriminals to hack not only the doorbells and the router, but also any other smart devices in the home, such as a thermostat, camera or potentially even a laptop.
The Victure Smart Video Doorbell also was found to send customers’ home WiFi name and password unencrypted to servers in China.
“If stolen, this data could allow a hacker to access people’s home WiFi – enabling them to target their private data, and any other smart devices they own,” said Lewis.
A large number of the doorbells tested also used weak, default and easy-to-guess passwords, said researchers.
“It is common for less security-conscious consumers to leave the default passwords unchanged on their equipment, potentially exposing them to hackers,” Lewis said.
Researchers found that another device, bought from eBay and Amazon without any clear brand associated with it, was vulnerable to a critical exploit called KRACK. The KRACK attack, a.k.a. Key Reinstallation Attacks, discovered in 2017. The KRACK approach was an industry-wide problem in the WPA and WPA2 protocols for securing Wi-Fi that could cause complete loss of control over data.
For the smart doorbell, this vulnerability could allow an attacker to break the WPA-2 security on someone’s home WiFi and ultimately gain access to their network, said researchers. Finally, researchers said, the Qihoo 360 Smart Video Doorbell, which is sold on Amazon, was easy to physically steal. Criminals could simply detach it from the wall with a standard Sim-card ejector tool (included with all smartphones). It could then be reset and sold.
Which? tried to contact all the manufacturers, but could only find details for Accfly and Victure, who did not respond. They also failed to track down someone to contact for the other doorbells, as some had no branding at all. Instead, researchers contacted eBay and Amazon, where the doorbells were purchased. Amazon for its part removed at least seven product listings after the research was presented to the company.
“We require all products offered in our store to comply with applicable laws and regulations and have developed industry-leading tools to prevent unsafe or non-compliant products from being listed in our stores,” said Amazon in a statement.
eBay, for its part, said it continues to facilitate discussions between Which? and the smart doorbell sellers so the concerns can be addressed.
“When a product is listed that violates our safety standards, we remove the listing straight away,” said eBay in a statement. “These listings do not violate our safety standards but represent technical product issues that should be addressed with the seller or manufacturer.”
Lewis stressed that consumers can stay secure by staying away from unknown brands, and instead buying from reputable brands. In addition, researchers said, consumers should check their password always when setting up a new device, check settings to make sure that all updates run automatically, and enable two-factor authentication (2FA) if available on the device.
Catering to All IT Issues So You Can Stay Connected Securely
The Network Company has been based in South Orange County, CA, for over 27 years and provides “Managed IT Services.” We support your company’s network, computers, software, and users; and make sure your system is always running smoothly. Our topmost priority is to ensure that your users and customers get the most from your IT investment.
GET YOUR FREE, NO-OBLIGATION NETWORK HEALTH CHECK! We know you’re so busy running your business that sometimes you may forget to think about the security and health of your computer network. In fact, many business owners do NOT perform regular IT and Security maintenance, leaving the door wide open for spyware, viruses and other malicious threats that can infect their networks. This can lead to the loss of irreplaceable business data and hours of downtime. This is where we can help with Professional IT services, no matter what industry your business is in.
We don’t want this to happen to you! We’re offering you a FREE, no-strings-attached Network Health Check, which includes an inventory of your current environment, along with recommended improvements to keep your network healthy.
What’s the catch? You must be wondering why we are willing to give this away for free. We are simply offering this Network Health Check as a risk-free way to “get to know us” while helping you identify areas of vulnerability.
How does it work? To get your free Network Health Check, simply click here to complete the online request form. After we receive your request, we will contact you to schedule a specialist to perform the assessment.
Following the assessment, you will receive a complimentary recommended action plan and estimate for correcting any existing issues.