- Researchers tested 11 smart doorbells from eBay and Amazon, and they were all hackable.
- The products used weak password policies, collected and stored data unencrypted, and contained flaws.
- If you are to buy a smart product, at least pick one from a reputable vendor who cares about security.
Smart doorbells are supposed to offer an extra layer of security by providing “knowledge” and “connectivity” to their users. Still, like all smart devices, they can also be a security liability. British consumer platform “Which?” has worked together with cybersecurity specialists from the NCC Group to figure out which smart doorbells are vulnerable to hacker attacks, and they’ve found at least 11 that are quite risky.
These were sampled among products with 5-star reviews on eBay and Amazon, with some of them being recommended as “Amazon Choice” items, meaning that they’re selling quite well.
Here is what the NCC Group’s experts found on each of the 11 models they tested:
- Victure VD300 – Sends unencrypted WiFi name and password to servers based in China.
- Qihoo 360 D819 – Can be easily detached from the wall and reset with a pen. Also, it keeps recordings stored locally without using any encryption.
- Ctronics CT-WDB02 – Contains a vulnerability that allows hackers to steal network credentials and access other devices connected to the same network.
- Unbranded V5 Ring clones – Contain flaws that enable hackers to revert it to a ‘pairing’ stage and take full control of the device.
- Unbranded smart doorbells – Various models that were confirmed to be vulnerable to KRACK attacks (key reinstallation).
If you’re planning to buy a smart doorbell this week, you should pay attention to some details that go beyond the Amazon review scores. Sure, some products may seem like a great value for their performance and features, but most user reviews don’t take the crucial aspect of security into account.
Here are the five points to focus on:
- Buy a product from a reputable and trustworthy brand and make sure that it’s genuine.
- Search the web for reviews of the product and dive deeper into the offered security features.
- Once you get the device in your hands, change the default password it came with.
- Set up two-factor authentication and prefer authentication apps instead of SMS codes.
- Apply software updates as soon as they become available from the vendor, both on the app and the device’s firmware.
As for eBay and Amazon, where the NCC researchers sourced the products from, both marketplaces denied that the listed cameras violate their safety standards, and so they see no reason to remove them. However, they promised to contact the sellers and address the concerns that arose from the ‘Which?’ report.