Smart doorbells commonly found on marketplaces such as Amazon and eBay contain serious vulnerabilities that expose their owners to a host of security and privacy threats, according to an investigation led by the British consumer watchdog Which?.
Together with NCC Group, Which? looked into 11 internet-connected video- and audio-equipped doorbells, finding disconcerting vulnerabilities in all of them. A number of the gadgets are designed to have the look and feel of Amazon's Ring and Google's Nest Hello and are sold either under their own brands or have no discernible branding. Some devices were promoted with the "Amazon’s Choice" logo and received rave users reviews.
Notably, this includes the Victure VD300 smart doorbell, listed as "the number one bestseller in ‘door viewers’". The device was found to send a Wi-Fi network password to servers in China unencrypted. If stolen, the login details might not just give crooks access to the victim's Wi-Fi network, but also to other devices connected to it and exposing people's sensitive data in the process.
The lack of data encryption was overall a common find in the test and also affected video footage, which was often stored unencrypted.
RELATED READING: These things may be cool, but are they safe?
Other flaws had to do with poor password protections, since the units came with basic and easy-to-guess default passwords or their passwords were easy to reset by unwanted guests. Some devices were vulnerable to being readily switched off or stolen, paving the way for burglars to do their 'job' and be gone while nobody is watching. One gadget was susceptible to a critical exploit taking advantage of the Key Reinstallation AttaCK (KRACK) vulnerability in Wi-Fi authentication that could ultimately leave Wi-Fi networks wide open to compromise.
Unsurprisingly, most units gathered more customer data than they actually needed for their operations. Overall, the test's findings are by no means unique as similar probes have been conducted before and also brought unflattering results.
RELATED READING: IoT security: Are we finally turning the corner?
Amazon has since removed the listings for at least seven products. Meanwhile, eBay had this to say: "These listings do not violate our safety standards but represent technical product issues that should be addressed with the seller or manufacturer," said the company.
If you’re in the market for any connected gizmo, you want to do your homework and choose a reputable manufacturer with a proven track record of securing their devices. Then, when you first set up your new smart device, at the very least make sure you protect it with a strong and unique password or passphrase as well as with two-factor authentication.