Which? bought 11 smart doorbells, some of which looked very similar to Amazon Ring or Google Nest models, available from popular online marketplaces such as Amazon Marketplace and eBay.
Working with cybersecurity experts NCC Group, high-risk security issues were found among all of the doorbells, including two rated as critically vulnerable and a further nine rated as high impact.
Flaws included weak password policies, a lack of data encryption and an excessive collection of customers’ private information – all of which risk exposing sensitive data to cybercriminals.
Some of these flaws even enabled the physical theft of the doorbell or made it easy for an intruder to switch off the device.
The Qihoo 360 Smart Video Doorbell, pictured above, which was available on Amazon, was easy to steal as criminals could simply detach it from the wall with a standard Sim-card ejector tool included with all smartphones. It can then be reset and sold on.
Two devices tested, by Victure and Ctronics, had a critical vulnerability that could allow cybercriminals to steal the network password and use that to hack not only the doorbells and the router, but also any other smart devices in the home, such as a thermostat, camera or potentially even a laptop.
The Victure Smart Video Doorbell, which Amazon labelled the number one bestseller in ‘door viewers’ and had a review score of 4.3 out of 5 from over 1,000 ratings, was found to send customers’ home WiFi name and password unencrypted to servers in China.
If stolen, this data could allow a hacker to access people’s home WiFi – enabling them to target their private data, and any other smart devices they own.
The consumer watchdog also found another doorbell available on Amazon, by a brand called Ctronics. It was endorsed with the Amazon’s Choice logo and looked virtually identical to the Victure. After purchasing it and sending it to NCC Group, it was found to be a near-exact clone, with the same firmware and data encryption vulnerabilities.
Which? believes that both these cases are in breach of the General Data Protection Regulation and has reported them to the Information Commissioner’s Office (ICO).
In one case, testers found a flaw with a doorbell sold on eBay that reverts the device to a ‘pairing’ stage. This takes it offline and could enable a criminal to seize control of it to steal the doorbell, or just stop it from recording while they burgle the customers’ home.
Which? reported its findings to eBay and it put Which? directly in touch with the seller of the smart doorbell, who then removed the listing.
Another device, bought from eBay and Amazon without any clear brand associated with it, was vulnerable to a critical exploit called KRACK. This is a vulnerability in the WiFi authentication process that would allow an attacker to break the WPA-2 security on someone’s home WiFi and so gain access to their network.
A large number of the doorbells tested use weak, default and easy-to-guess passwords. It is common for less security-conscious consumers to leave the default passwords unchanged on their equipment, potentially exposing them to hackers. Use of default passwords would be illegal under the new IoT legislation proposed by the UK government.
Which? wants this legislation to be backed by strong and effective enforcement and for the chosen enforcement body to ultimately have the power to suspend, permanently ban from sale or recall non-compliant products where necessary.
The consumer watchdog also wants to see online marketplaces and retailers taking more responsibility for the safety and security of the products sold on their sites, regardless of whether the seller is a third-party.
Says Kate Bevan, Which? Computing editor:
“Connected devices like smart doorbells bring potential benefits and convenience to our lives, but also significant risks if they are poorly made and sold without any safety checks or monitoring.
“Government legislation to tackle insecure products should be introduced without delay and must be backed by an enforcement body with teeth that is able to crack down on these devices.
“For now, we would urge the public to buy smart doorbells from known and trusted tech brands rather than names you have never heard of before, otherwise they might find it is hackers that come calling to their home.”
Adds Matt Lewis, research director at NCC Group:
“Our findings could cause issues for consumers and are indicative of a wider culture that favours shortcuts over security in the manufacturing process.
“However, we are hopeful that the much anticipated IoT legislation will signal a watershed moment in IoT security. Until this comes into fruition, we must continue to work together to highlight the need for basic security by design principles, and educate consumers about the risks and what they can do to protect themselves.”
How to stay safe while using smart doorbells
Beware of unknown brands – Buy from a reputable, well-known and trusted brand. Be cautious when the company that’s selling the smart product doesn’t have a website or any contact details. If you can’t find the brand online at all avoid it.
Check the reviews – Although the product might have hundreds or even thousands of glowing reviews, always read the negative ones, too. They can alert you to worrying issues with the product.
Change the password – When setting up a new device, change the default password to a more secure one. We recommend the ‘three random words’ method. See which.co.uk/securepasswords for more.
Install all updates – These software updates provide vital protections against security threats. Check the settings to set updates to run automatically. And also run updates on your phone app.
Enable two-factor authentication (2FA) – If available, two-factor authentication is a great way to add extra security. With 2FA enabled, you have to input a code that’s generated by an app on your phone or sent to you by SMS to confirm it’s you logging in. See computing.which.co.uk/hc/en-