Holiday shoppers looking for a wireless-connected doorbell might want to take a closer look at the device’s security features.
The U.K.-based security company NCC Group and consumer advocacy group Which? have found vulnerabilities in 11 “smart” doorbells sold on popular platforms like Amazon and eBay. One flaw could allow a remote attacker to break into the wireless network by swiping login credentials. Another critical bug, which has been around for years, could enable attackers to intercept and manipulate data on the network.
The investigation focused on doorbells made by often obscure vendors, but which nonetheless earned top reviews and featured prominently on Amazon and eBay. The researchers raised concerns that some of the devices were storing sensitive data, including location data and audio and video captured by the doorbell’s camera, on insecure servers. One device made by a company called Victure, for example, sent a user’s wireless name and password, unencrypted, to servers in China, according to the researchers.
In a statement, Amazon said it requires products sold on its site to be compliant with applicable laws and regulations, and that it has tools to detect “unsafe or non-compliant products from being listed in our stores.” eBay said it takes down listings that violate its safety standards, but that the devices flagged by the researchers did not meet that threshold. A Victure spokesperson denied that the company sent user names and passwords, unencrypted, to servers in China.
The NCC Group-Which? team said they tried to contact the various vendors of the vulnerable smart doorbells, with mixed success. The unnamed vendor of one device, for example, removed an online listing for the product after the researchers shared their findings.
NCC Group research director Matt Lewis said his team’s findings point to “a wider culture that favors shortcuts over security in the manufacturing process.” Other research has found home-networking devices ranging from routers to webcams to be riddled with vulnerabilities.
In this case, researchers bought another device from Amazon and eBay that was vulnerable to KRACK, a three-year-old bug that attackers could use to eavesdrop on wireless networks
Smart doorbells, which allow a home owner to talk to someone at their front door, have drawn greater scrutiny from researchers as they have grown in popularity. The NCC Group-Which? research follows the discovery last year of vulnerabilities in Amazon’s popular Ring doorbell, which prompted scrutiny of the company’s security practices from U.S. lawmakers.
The widely documented security issues in internet-connected, or “internet of things” (IoT), devices appear to be resonating with policymakers. Lawmakers in the U.S. and U.K. are beginning to act after years of little oversight of IoT gear. The U.K. government has proposed a law that would require manufacturers to build security controls into the devices.
The U.S. Congress last week passed long-awaited legislation that would set security requirements for IoT vendors that contract with the U.S. government.