Ignoring Smart Doorbell Security Is Like Giving House Keys to Hackers
UK consumer protection organization Which? recently revealed that smart doorbells sold in big-name online retailers can contain major vulnerabilities.
Together with NCC Group, another UK entity, Which? discovered that Internet-connected smart doorbells sold on platforms such as Amazon and eBay had significant security issues. A bit worryingly, a number of those smart video doorbells have been designed and produced in a way that makes them look very similar to big brand products like the Nest Hello from Google, even though the devices with security issues in them only have similar packaging and casing.
The branding on the problematic products is often missing, even though they have received positive reviews from customers on the respective platform that sells them.
One example of a product with security loopholes in its design is a video doorbell sold as the Victure VD300. Upon examination, it was discovered that the VD300, once installed, sends the password for the Wi-Fi network it uses to a server in China, in unencrypted form.
If intercepted and stolen, this information could allow bad actors full access to the Wi-Fi network of the compromised unit, as well as other devices connected to the same network.
Lack of encryption is just one of the common issues with smart doorbell systems. Another significant problem they often share has to do with password security. A number of doorbells had simple, short default passwords that are used commonly and are easily guessed.
Another device had a critical vulnerability allowing for a key reinstallation attack or "KRACK", effectively rendering the Wi-Fi network exposed to bad actors.
The devices were also found to collect and record data that is excessively detailed and does not benefit the doorbells' operation in any way.
Following the Which? investigation, Amazon has delisted a number of devices with security issues. eBay on the other hand claims that it functions differently as an outlet and any issues with the technical specifications of listed products should be directed to the hardware manufacturer.