Posted on November 23, 2020 at 2:04 PM

Flaws in Smart Doorbells Invite Hackers to Infiltrate Home Devices

According to a recent report, a major security vulnerability in several devices could allow hackers to infiltrate laptops in the home via smart doorbells.

Those smart doorbells with such vulnerability issues are usually the least expensive ones. They can be easily stolen, hacked, or switched off by cybercriminals.

Consumer watchdog WHICH, after buying 11 of such doorbells, discovered that they can be easily altered by hackers to infiltrate systems.

Some of the doorbells resemble Google Nest models or Amazon Ring and are available at popular online marketplaces like eBay and Amazon.

Most of the devices pose a high-security risk

WHICH worked with cybersecurity experts NCC group to look at high-risk security problems facing the doorbells. The researchers rated nine of the devices as high impact and the remaining two as critically vulnerable.

The vulnerability included an excessive gathering of consumers’ private information, a lack of encryption, and weak password policies. All these security flaws risk exposing sensitive data to the threat actors.

Some of the vulnerabilities even give the hackers access to the doorbell, as they could steal it physically.

Ctronics and Victure doorbells were tested by the researchers. They discovered that the devices have critical flaws that could enable threat actors to steal the network password. Once the password is stolen, they can use it to hack the doorbell and its router, as well as other connected smart devices like a camera and thermostat. It’s also possible to hack into the laptop in the home via the access they have from the doorbell and its router.

Amazon has taken down most of the affected products

Amazon labeled the Victure Smart Video doorbell the number one bestseller when it comes to “door viewers”. From 1,000 ratings, the doorbell has a review score of 4.3 out of 5 points.

The doorbell sends unencrypted customers’ home WiFi and passwords to servers in China. If the details are stolen, the hacker could access the home WiFi of the victims, allowing them to launch attacks on their private data and other smart devices.

When WHICH reported its discoveries, Amazon took down most of the product listings. According to the company’s spokesperson, one of the rules for listing a product on Amazon is for the companies to comply with its policies and applicable laws. The listed companies should have designed top-notch tools to prevent listing non-compliant products on the Amazon portal.

 The other doorbell, known as Ctronics like the Victure model and has Amazon’s Choice logo embedded on it. When the consumer watchdog analyzed the doorbell with the help of NCC Group, it discovered it looked exactly like the Victure doorbell and it’s an identical clone with the same encryption and firewall vulnerabilities.

WHICH? has reported the two cases to the Information Commissioner Office (ICO). The consumer watchdog believes that both cases would have breached the General Data Protection Regulation.

According to the ICO, “Data protection laws require the collection and use of personal data to be fair and transparent.”

The agency also said it’s important for organizations to be clear with users about using their data and offering options that can control the data.

And they can report their issues to the ICO if anyone has issues about how their data is being handled.

Computing editor at WHICH, Kate Bevan, said there are potential convenience and benefits for connected devices like smart doorbells. However, they also pose high risks since they are not properly equipped with the right security mechanism. There is hardly any high monitoring or safety checks for these devices.

He also advised that there should be government legislation that can deal with unsecured products. The legislation should be supported by a law enforcement body with the power to crack down on the devices.

He further advised doorbell users to buy only from respected and trusted tech brands, and not to consider the products with unknown names.

Research director at NCC Group, Matt Lewis, revealed that the discoveries show that most manufacturers are more concerned about using a shortcut to design a product and less worried about the security measures they take. But he anticipates that the upcoming IoT legislation will address most of the issues.