‘Smart’ Doorbells Contain Serious Security Issues
Researchers have discovered serious security and privacy issues in 11 different ‘smart’ doorbells, sold by popular online marketplaces like Amazon and eBay. The identified flaws would allow threat actors to physically switch off the devices.
Smart doorbells, and other IoT devices, have grown in popularity over the recent years and allow users to connect the devices to their smartphones and alert them when someone approaches their home, and allow live video footage. Matt Lewis, research director at NCC group, recently talked about how these smart doorbells were discovered to have a myriad of security issues, including weak password policies, a lack of data encryption, and an excessive collection of customer information. Other researchers with Which? looked at smart doorbells from Victure, Qihoo 360, and Accfly, and found similar security issues.
Two of the devices tested, manufactured Victure and Ctronics, had a critical vulnerability that could allow cybercriminals to steal the network password. The flaws also would allow cybercriminals to hack not only the doorbells and the router, but also any other smart devices in the home, such as a thermostat, camera or potentially even a laptop. The Victure Smart Video Doorbell also was found to send customers’ home Wi-Fi name and password unencrypted to servers in China. Many the doorbells tested also used weak, default and easy to guess passwords.
Researchers found that another device, bought from eBay and Amazon without any clear brand associated with it, was vulnerable to a critical exploit called KRACK. The KRACK attack, a.k.a. Key Reinstallation Attacks, was discovered in 2017. The KRACK approach was an industry-wide problem in the WPA and WPA2 protocols for securing Wi-Fi that could cause complete loss of control over data.
For the smart doorbell, this vulnerability could allow an attacker to break the WPA-2 security on someone’s home Wi-Fi and ultimately gain access to their network, said researchers. Finally, researchers said, the Qihoo 360 Smart Video Doorbell, which is sold on Amazon, was easy to physically steal. Criminals could simply detach it from the wall with a standard Sim-card ejector tool (included with all smartphones). It could then be reset and sold.
In order to defend against these vulnerabilities, consumers are urged to stay away from unknown brands and instead buy from reputable and well-known brands. In addition, consumers should set a secure password when setting up a new device and check the settings to ensure that all updates run automatically, and always enable multi-factor authentication (MFA) when available.
Sources: