Advertisement

‘Smart’ doorbells for sale on Amazon, eBay came stocked with security vulnerabilities

The findings point to “a wider culture that favors shortcuts over security in the manufacturing process," one researcher said.
(Getty Images)

Holiday shoppers looking for a wireless-connected doorbell might want to take a closer look at the device’s security features.

The U.K.-based security company NCC Group and consumer advocacy group Which? have found vulnerabilities in 11 “smart” doorbells sold on popular platforms like Amazon and eBay. One flaw could allow a remote attacker to break into the wireless network by swiping login credentials. Another critical bug, which has been around for years, could enable attackers to intercept and manipulate data on the network.

The investigation focused on doorbells made by often obscure vendors, but which nonetheless earned top reviews and featured prominently on Amazon and eBay. The researchers raised concerns that some of the devices were storing sensitive data, including location data and audio and video captured by the doorbell’s camera, on insecure servers. One device made by a company called Victure, for example, sent a user’s wireless name and password, unencrypted, to servers in China, according to the researchers.

In a statement, Amazon said it requires products sold on its site to be compliant with applicable laws and regulations, and that it has tools to detect “unsafe or non-compliant products from being listed in our stores.” eBay said it takes down listings that violate its safety standards, but that the devices flagged by the researchers did not meet that threshold. A Victure spokesperson denied that the company sent user names and passwords, unencrypted, to servers in China.

Advertisement

The NCC Group-Which? team said they tried to contact the various vendors of the vulnerable smart doorbells, with mixed success. The unnamed vendor of one device, for example, removed an online listing for the product after the researchers shared their findings.

NCC Group research director Matt Lewis said his team’s findings point to “a wider culture that favors shortcuts over security in the manufacturing process.” Other research has found home-networking devices ranging from routers to webcams to be riddled with vulnerabilities.

In this case, researchers bought another device from  Amazon and eBay that was vulnerable to KRACK, a three-year-old bug that attackers could use to eavesdrop on wireless networks

Smart doorbells, which allow a home owner to talk to someone at their front door, have drawn greater scrutiny from researchers as they have grown in popularity. The NCC Group-Which? research follows the discovery last year of vulnerabilities in Amazon’s popular Ring doorbell, which prompted scrutiny of the company’s security practices from U.S. lawmakers.

The widely documented security issues in internet-connected, or “internet of things” (IoT), devices appear to be resonating with policymakers. Lawmakers in the U.S. and U.K. are beginning to act after years of little oversight of IoT gear. The U.K. government has proposed a law that would require manufacturers to build security controls into the devices.

Advertisement

The U.S. Congress last week passed long-awaited legislation that would set security requirements for IoT vendors that contract with the U.S. government.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts