Smart Doorbells Are Wide Open to Security Flaws
A consumer rights group has found security vulnerabilities in 11 popular smart doorbell products available on two of the world’s biggest online marketplaces.
Which? enlisted the help of researchers at NCC Group to run tests on the smart devices they found on eBay and Amazon, many of which had scores of five-star reviews, were recommended as “Amazon’s Choice,” or on a bestsellers list.
Typical issues included: weak password policies, meaning hackers could guess the factory defaults to hijack the device; excessive data collection and lack of data encryption, meaning attackers could lift Wi-Fi password details to hijack other devices on the home network.
The Victure VD300 was found to be sending unencrypted info including Wi-Fi name and password to servers in China, while the Qihoo 360 D819 stored video recordings in unencrypted format and could even be physically removed from the wall with a SIM-card ejector tool, Which? said.
The Ctronics CT-WDB02 and Victure devices contained a critical vulnerability enabling attackers to steal network passwords, while an unbranded V5 Wifi Ring doorbell featured a flaw allowing attackers to take it offline by reverting it to a “pairing” mode.
Another unnamed device tested by NCC Group featured the infamous KRACK vulnerability, which could enable attackers to break WPA-2 security to grab home network passwords.
The UK government is introducing new legislation intended to improve baseline security of consumer IoT products sold in the country. This includes a mandate for manufacturers to ensure they all have unique passwords out-of-the-box, a public point of contact for vulnerability management and a clear time frame in which security updates will be offered.
However, not all of the faults listed above would be fixed by the law. Which? is also calling for strong enforcement of the law to ban any non-compliant products.
In the meantime, Amazon claimed it requires all products offered online to comply with applicable laws and regulations and has “developed industry-leading tools to prevent unsafe or non-compliant products from being listed in our stores.”
E-commerce giant eBay said it immediately removes any products found to violate its safety standards.
“These listings do not violate our safety standards but represent technical product issues that should be addressed with the seller or manufacturer,” it said of the report. “We have and will continue to facilitate discussions between Which? and the sellers so the concerns can be addressed.”