Walmart and Amazon are continuing to sell faulty smart doorbells and cameras filled with vulnerabilities that could expose customers’ sensitive information, according to research published Thursday.
The vulnerabilities, found in Geeni- and Merkury-branded security cameras and smart doorbells, would allow attackers to take full control of devices and remotely disable cameras through a denial of service attack in some cases, according to the research. In others, the flaws could allow for the the disclosure of sensitive information and unauthenticated access.
Some other exploits would allow attackers to gain remote access to a stream of one of the affected doorbell cameras.
The flaws variously affect Merkury/Geeni doorbell models GNC-CW013, GNC-CW025 and MI-CW024 and camera models GNC-CW003, GNC-CW010, GNC-CW028 and MI-CW017, according to the research. Merkury is Geeni’s parent company.
Security cameras and doorbells that connect to the internet have been plagued by flaws for years. Just last month a TechCrunch investigation revealed that Amazon’s Ring doorbell app Neighbors could expose users’ location and home addresses. Two years ago Ring customers’ passwords were exposed in a massive leak that could allow third parties to access live cameras feeds.
The research — conducted by TJ O’Connor, an assistant professor and the Cybersecurity Program Chair and Director of the IoT (internet of things) Security and Privacy Lab at Florida Institute of Technology, and his graduate student Daniel Campos — is a reminder that just because a security product is available for sale in popular retail stores, privacy and security may not be guaranteed.
O’Connor and Campos disclosed the flaws to MITRE and the company, Merkury Innovations, last November, but they have not yet been fixed, as The Washington Post first reported. Merkury spokesperson Sol Hedaya told CyberScoop in a statement fixes should be available later this month.
“We regularly update the security of our app and devices. We often work with security researchers like this to address theoretical vulnerabilities, and deeply appreciate the way in which the issues are raised and the ability to rectify and address them in a responsible manner,” Hedaya said, adding “we have no known exploits of any of these vulnerabilities.”
In the meantime, the flaws, some of which would leave no trace if exploited, are placing user security and privacy at risk, argues ReFirm Labs, whose software the researchers used to probe the products.
“Backdoors like these will be used to completely violate consumers’ privacy by criminals, and put citizens’ security at risk when used by nation state hackers,” ReFirm Labs stated in a blog post.
Some of the flaws the researchers found could be exploited if attackers used default accounts to connect to vulnerable systems, due to default and static passwords being built into the firmware or because of static usernames and passwords being stored in a shared library, according to the research.
It’s a status quo that needs to change and retailers should step up, argues ReFirm Labs. Retailers could, for instance, use systematized labeling to alert customers to trustworthy products.
“Just as you expect products you buy from name brand stores won’t catch on fire and burn down your house, consumers should demand that those same products won’t spy on them,” ReFirm labs said. “Retailers have an obligation to be proactive in pushing for proper cybersecurity in the IoT devices they sell.”
The security of internet-connected devices is an issue that has gained the attention of lawmakers on Capitol Hill. But while lawmakers recently passed a bill that would address the security of internet of things in federal government purchases, there is still no federal legislation that addresses the conditions under which IoT devices can be sold to consumers safely.