November 23, 2020

Research finds security flaws in smart doorbells sold on eBay and Amazon

By Ellen Daniel

Consumer watchdog Which? has found “high-risk security issues” in 11 smart doorbells available to purchase through Amazon and eBay.

Working with NCC Group, Which? tested 11 doorbells, some of which had 5-star reviews or were recommended as ‘Amazon’s Choice’, and found vulnerabilities in all of them.

Although designed to improve home security, smart doorbells can contain security vulnerabilities that leave them open to be hacked. Often this is because the devices have weak password policies where the user is not required to change the default password. In other cases the product seller may not roll out security updates, meaning devices are left unpatched.

Cybersecurity professionals have frequently called for improvements to be made to the security of smart home devices, including smart doorbells, with incidents of attackers successfully hacking into the video feed of such devices.

Among the doorbells tested by Which? was the Victure Smart Video Doorbell Camera VD300  model, which can be purchased for £90. It found that data, including wi-fi names and passwords, was being sent unencrypted to servers in China. This means it would be possible for an attacker to intercept this data.

Another doorbell tested was the Ctronics CT-WDB02 Wireless Video Doorbell, which was found to have vulnerabilities that could enable a hacker to steal the network password and gain access to other smart devices on the network.

Which? said it contacted both Amazon and eBay as well as attempting to contact the manufacturers of the doorbells

Which? advised individuals looking to purchase a smart doorbell to be cautious of unfamiliar brands, to change the default password when setting up a smart doorbell, ensure that software updates are installed, and install two-factor authentication.

It also called for tougher legislation when it comes to the security of smart home devices, and for online marketplaces to take more responsibility for the smart devices sold through their platforms.

Jake Moore, cybersecurity specialist at internet security firm ESET, said:

“Smart doorbells may sound exciting, but they can often be more dangerous than you think. People tend to not think too much about the security of the smart devices in their homes, but you often get what you pay for. Cheaper devices can make sacrifices such as fewer updates or weaker password policies – if any – which weakens your home networks. Products that store data and footage on the cloud must be encrypted too, but this is something many people will not check – wrongly assuming these devices are protected from the moment they are out of the box.

“It is vital that you research and protect any device you let into your home and connect to the internet, or you risk allowing malicious actors into your network. Two-factor authentication is a must with all IoT devices – and if a product does not offer 2FA capabilities, it is unlikely to have your privacy or best interests at heart.”

Read More: Smart devices could be powered by indoor light.