Smart doorbells have gained immense popularity over the past two years, as they allow users to keep better vigilance over people approaching their homes, with manufacturers like Nest or Ring taking a clear advantage over their competitors.
While these devices are really useful, the fact that they require an Internet connection makes them vulnerable to multiple hacking methods, a risk that increases if manufacturers do not pay due attention to the development of security features on these devices. Which?, in collaboration with NCC Group, performed an analysis of 11 different smart doorbells available on the most popular online shopping sites to test their security measures.
Experts found security flaws on all analyzed devices, although user risks vary by case. Below is a brief overview of the devices with the most security flaws, which may be of interest to those interested in installing a smart doorbell in their homes.
Victure Smart Video Doorbell Camera
Available on Amazon for around $100, this is a similar model to the ring’s most popular models, although it has very poor security features. Experts detected that the analyzed model (VD300) sends the user’s WiFi network name and password to the company’s servers without applying encryption, so any threat actor could intercept this data and access the network of affected users.
Despite this lousy security practice, this device is one of the best sellers on Amazon, with a score of 4.3/5 on the platform. As if that weren’t, it’s possible to find cloned devices online, those are possibly much more insecure than the original devices.
Qihoo 360 D819 Smart Video Doorbell
This device does not have protection against physical theft and it is even possible to turn it off without the user’s authorization. Using a key to eject SIM cards (included with virtually any smartphone), threat actors can remove the device in order to reset and sell it.
Experts also discovered that Qihoo stores information from these devices without any encryption.
Ctronics CT-WDB02 Wireless Video Doorbell
This device has a critical flaw that would allow threat actors to steal the password from affected networks, so any other smart device connected to the network could be compromised.
Victure devices (mentioned above) also have similar flaws.
Wifi V5 Smart Doorbell (unbranded)
Which? experts also found a ringer model very similar to Ring devices, although when analyzing it closely it is obvious that it is a copy. The worst part is that this model has a flaw that would allow threat actors to take control of the device to intervene in its functions, mainly to prevent the camera from working.
This device was removed from online sales sites after the report was published.
Specialists analyzed many other devices of little-known brands or that are essentially copies of popular brand creations, discovering that most have common flaws, including some of the following vulnerabilities:
- An unbranded smart doorbell available on eBay is vulnerable to Key Reinstallation Attack (KRACK). This is a WiFi authentication flaw that would allow threat actors to bypass WPA-2 security on a wireless network
- One of the main problems on these devices is the absence of data encryption; developers send user data to their servers (mostly established in China) unencrypted. User data is fully exposed and available to any threat player
- These devices also collect more information than necessary, so people should reconsider their daily use or at least opt for a device with less intrusive privacy settings
- The password policies included in these devices are also very poor. The system does not ask to change the default password and threat actors could easily obtain this data; this is a problem typical of almost any Internet of Things (IoT) device
The flaws found are completely exploitable, so users need to take into account reports and updates to prevent a malicious hacker from using these devices to access the network. The full report is on the official platforms of the researchers.
He is a well-known expert in mobile security and malware analysis. He studied Computer Science at NYU and started working as a cyber security analyst in 2003. He is actively working as an anti-malware expert. He also worked for security companies like Kaspersky Lab. His everyday job includes researching about new malware and cyber security incidents. Also he has deep level of knowledge in mobile security and mobile vulnerabilities.