Smart doorbells could be hackers’ key to devices inside your home

Smart doorbells could be used to hack into laptops inside the home due to major security flaws in a number of devices, a Which? investigation has found.

The consumer watchdog found that smart doorbells sold for enticingly low prices on online marketplaces can be easily switched off, stolen or hacked by criminals.

Which? bought 11 smart doorbells, some of which appeared to look very similar to Amazon Ring or Google Nest models, available from popular online marketplaces such as Amazon Marketplace and eBay.

Working with cyber security experts NCC Group, high-risk security issues were found among all of the doorbells, including two rated as critically vulnerable and a further nine rated as high impact.

Flaws included weak password policies, a lack of data encryption and an excessive collection of customers’ private information – all of which risk exposing sensitive data to cybercriminals.

Some of these flaws even enabled the physical theft of the doorbell or made it easy for an intruder to switch off the device.

According to the report two devices tested, by Victure and Ctronics, had a critical vulnerability that could allow cybercriminals to steal the network password and use that to hack not only the doorbells and the router, but also any other smart devices in the home, such as a thermostat, camera or potentially even a laptop.

The Victure Smart Video Doorbell, which Amazon labelled the number one bestseller in ‘door viewers’ and had a review score of 4.3 out of 5 from over 1,000 ratings, was found by testers for Which? to send customers’ home WiFi name and password unencrypted to servers in China.

If stolen, this data could allow a hacker to access people’s home WiFi – enabling them to target their private data, and any other smart devices they own.

After Which? reported its findings, Amazon removed at least seven product listings. A spokesperson said: "We require all products offered in our store to comply with applicable laws and regulations and have developed industry-leading tools to prevent unsafe or non-compliant products from being listed in our stores."

The consumer champion found another doorbell available on Amazon, by a brand called Ctronics. It was endorsed with the Amazon’s Choice logo and looked virtually identical to the Victure. After purchasing it and sending it to NCC Group, it was found to be a near exact clone, with the same firmware and data encryption vulnerabilities.

Which? believes that both these cases could be a breach of the General Data Protection Regulation and has reported them to the Information Commissioner’s Office (ICO) for investigation.

The ICO said: "Data protection laws require the collection and use of personal data to be fair and transparent. Being clear with individuals about the use of their data, and providing options to control that data, are important matters for organisations to get right. If anyone has concerns about how their data has been handled, they can report these concerns to the ICO."

Kate Bevan, Which? computing editor, said: "Connected devices like smart doorbells bring potential benefits and convenience to our lives, but also significant risks if they are poorly made and sold without any safety checks or monitoring.

"Government legislation to tackle unsecure products should be introduced without delay and must be backed by an enforcement body with teeth that is able to crack down on these devices.

"For now, we would urge the public to buy smart doorbells from known and trusted tech brands rather than names you have never heard of before, otherwise they might find it is hackers that come calling to their home."

Matt Lewis, research director at NCC Group, said: "Our findings could cause issues for consumers and are indicative of a wider culture that favours shortcuts over security in the manufacturing process.

"However, we are hopeful that the much anticipated IoT legislation will signal a watershed moment in IoT security. Until this comes into fruition, we must continue to work together to highlight the need for basic security by design principles, and educate consumers about the risks and what they can do to protect themselves."

Which? worked with NCC Group to expertly test 11 smart doorbells for security and data privacy over September and October 2020.

Which? tried to contact all the manufacturers, but could only find details for Victure who did not respond.

eBay said in a statement: "When a product is listed that violates our safety standards, we remove the listing straight away. These listings do not violate our safety standards but represent technical product issues that should be addressed with the seller or manufacturer.

"We have and will continue to facilitate discussions between Which? and the sellers so the concerns can be addressed."

You may also like...