Cut-price ‘smart’ doorbells could be hackers’ key to your computer
SMART doorbells could be used to hack into laptops inside homes due to major security flaws in a number of devices, a Which? investigation has found.
The consumer watchdog found smart doorbells selling online can be easily switched off, stolen or hacked by criminals. Which? bought 11 smart doorbells, some of which appeared to look very similar to Amazon Ring or Google Nest models, available from popular online marketplaces such as Amazon Marketplace and ebay.
Working with cyber security experts NCC Group, high-risk security issues were found among all of the doorbells, including two it rated as critically vulnerable and a further nine rated as high impact. Flaws included weak password policies, a lack of data encryption and an excessive collection of customers’ private information – all risking exposing sensitive data to cybercriminals.
Some of these flaws even enabled the physical theft of the doorbell or made it easy for an intruder to switch it off.
According to the report, two devices tested, by Victure and Ctronics, had a critical vulnerability that could allow cybercriminals to steal the network password and use that to hack not only the doorbells and the router, but also any other smart devices in the home, such as a thermostat, camera or potentially even a laptop. The Victure Smart Video Doorbell, which Amazon labelled the number one bestseller in “door viewers”, and had a review score of 4.3 out of 5 from over 1,000 ratings, was found by testers for Which? to send customers’ home Wifi name and password unencrypted to servers in China.
After Which? reported its findings, Amazon removed at least seven products. A spokesperson said: “We require all products offered in our store to comply with applicable laws and regulations and have developed industry-leading tools to prevent unsafe or non-compliant products from being listed.”
Another doorbell on Amazon, by a brand called Ctronics, was endorsed with the Amazon’s Choice logo and looked virtually identical to the Victure. After purchasing it and sending it to NCC Group, it was found to be a near exact clone, with the same firmware and data encryption vulnerabilities.
Kate Bevan, Which? computing editor, said: “Connected devices like smart doorbells bring potential benefits and convenience to our lives, but also significant risks if they are poorly made and sold without any safety checks or monitoring. Government legislation to tackle unsecure products should be introduced without delay and must be backed by an enforcement body with teeth that is able to crack down on these devices.”
Which? tried to contact all the manufacturers, but could only find details for Victure who did not respond.