‘Smart’ Doorbell Vulnerabilities

The holiday season is officially upon us. Now is a good time to find great deals but proceed with caution: be wary of “too good to be true” deals. CyberHoot blogged about Black Friday Scams recently, going into the methods hackers use to trick users into giving out personal information or ‘buying’ products that never arrive. Now we shift our attention to a product that is popular this season, ‘Smart’ Doorbells.

Smart Doorbells have been making waves the past year or two, allowing homeowners to have an internet-connected doorbell that notifies them when a visitor arrives. The doorbell activates when pressed or when it senses motion. The smart doorbell lets a homeowner use a smartphone app to interact with the visitor using the doorbell’s high-definition infrared camera and microphone. Some smart doorbells also allow the user to remotely unlock their door.  These conveniences have lead to the growing popularity of these devices. However, buyer beware;  many of these devices have gaping virtual holes in your front door.

‘Smart’ Doorbell Security Study

Manufacturers try to be the first to market with hot new technologies.  Doing so often means cutting corners on testing, vetting, and security protections. Consequently, this new technology often contains IoT device risks. A recent test of 11 highly rated (five-star and editors choice) smart doorbells found every one of them failed a least one security test but often many more.

The popular Victure doorbell (at left), costs $60 and is a number one bestseller on Amazon (4.5 out of 5 on 400+ user reviews). The model tested, the Victure VD300, sends your Wi-Fi network name and password to servers in China unencrypted. Any hacker able to intercept this data could join your home network and gain access to other devices on it.

Another unbranded doorbell on Amazon looking identical to this Victure model had the exact same vulnerabilities. There’s no telling how many ‘cloned’ doorbells with similar or different frames are using the same underlying, unsafe software and hardware.

A video doorbell, at about $70 from a brand called Ctronics had a critical vulnerability that could allow cybercriminals to steal the network password, and use that to hack not only the doorbells and the router but also any other IoT smart devices in the home (think thermostat, camera, or even a laptop). The Victure doorbell tested above also had these same vulnerabilities. 

This Ctronics brand also has identical-looking unbranded models to cater to those who may want to spend a little less on their smart doorbell.

This study found this unbranded model on eBay and while it looks similar to a Ring doorbell, it isn’t one. A flaw in this doorbell can easily revert it to a ‘pairing’ stage. This takes it offline and could enable a criminal to seize control of it to steal the doorbell, or just stop it from recording while they burglarize the home. When the seller of this product was contacted about these flaws., they simply removed the listing from eBay. However, these unbranded Ring knock-offs are still available at places like Walmart, for only $38 verses a Ring Smart Doorbell which costs between $99 and $199 dollars!  However, as noted in this security article, Ring doorbells haven’t faired much better on the security side.  Buyers of these technologies must be aware of these risks, and CyberHoot’s advice is to update them regularly and buy mainstream (aka: Ring) as they are more likely to be fully supported, regularly patched, and more heavily tested.

Other Security Risks of 'Smart' Doorbells

  • KRACK – One device, bought from eBay without any clear brand associated with it, was vulnerable to a critical exploit called KRACK (Key Reinstallation AttaCKs). This is a vulnerability in the Wi-Fi authentication process that would allow an attacker to break the WPA-2 security on someone’s home wi-fi and so gain access to their network.
  • Lack of Data Encryption – Any device on your network has access to your Wi-Fi account and password, and some of the doorbells were accidentally sending that data unencrypted to Chinese servers. This means hackers could get access to this data and use it to infiltrate other devices connected on your network, including smartphones, tablets and laptops.
  • Excessive Data Collection – How much does your doorbell really need to know about you? Far too much in some cases, such as the exact location of the device which could then be made available online to enterprising hackers.
  • Weak Password Policies – These models don’t prompt you to change your password and have a basic default one that would take a hacker seconds to crack. They are also too easy to reset to the default password, meaning hackers could easily gain access to your WiFi network password and your device configuration password.

How To Stay Secure

  • Look At The Brand – If you haven’t heard of the brand, or there’s no brand at all, then you should be skeptical. Stick to a mainstream brand like Amazon’s Ring Smart Door bell because it is backed by Amazon and its massive research and development.
  • Check Reviews – As the report has shown, you can’t always trust reviews. Seek out and review negative reviews, search for the word vulnerability or security risk in those reviews or better yet google the device and decide for yourself if the benefit is worth the risk.
  • Change The Default Password – This is true with any internet-connected (aka: IoT) device. Always change device default passwords. The most difficult to hack are complex and unique 14+ character passwords/passphrases. Store those passwords in a Password Manager.
  • Keep Up To Date – Software updates are common and sometimes add new features (Sonos 2.0 anyone???) but more often they’re fixing security and problem issues. Check to see if your doorbell automatically updates itself and enable that feature if present. Better yet, don’t buy a device that doesn’t auto-update itself to begin with.
  • Set Up Two-Factor Authentication – This isn’t always available, but if it’s an option then be sure to enable it. It adds an extra layer of security, by sending a unique code to your phone that is used to access the device in addition to a password. It’s very difficult for a hacker to access these unique codes so its critical to set up 2FA on any account or device that you can. 

If you have any doubts at all, keep your money in your pocket. When it comes to home security gadgets, don’t risk making your security worse than it was before just because you want that sleek new gadget. 

Share this on your social networks. Help Friends, Family, and Colleagues become more aware and secure.