'Smart' Doorbells For Sale On Amazon, eBay Came Stocked With Security Vulnerabilities (cyberscoop.com) 30
The U.K.-based security company NCC Group and consumer advocacy group Which? have found vulnerabilities in 11 "smart" doorbells sold on popular platforms like Amazon and eBay. CyberScoop reports: One flaw could allow a remote attacker to break into the wireless network by swiping login credentials. Another critical bug, which has been around for years, could enable attackers to intercept and manipulate data on the network. The investigation focused on doorbells made by often obscure vendors, but which nonetheless earned top reviews and featured prominently on Amazon and eBay. The researchers raised concerns that some of the devices were storing sensitive data, including location data and audio and video captured by the doorbell's camera, on insecure servers. One device made by a company called Victure, for example, sent a user's wireless name and password, unencrypted, to servers in China, according to the researchers.
In a statement, Amazon said it requires products sold on its site to be compliant with applicable laws and regulations, and that it has tools to detect "unsafe or non-compliant products from being listed in our stores." eBay said it takes down listings that violate its safety standards, but that the devices flagged by the researchers did not meet that threshold. Victure did not immediately respond to a request for comment. The NCC Group-Which? team said they tried to contact the various vendors of the vulnerable smart doorbells, with mixed success. The unnamed vendor of one device, for example, removed an online listing for the product after the researchers shared their findings.
In a statement, Amazon said it requires products sold on its site to be compliant with applicable laws and regulations, and that it has tools to detect "unsafe or non-compliant products from being listed in our stores." eBay said it takes down listings that violate its safety standards, but that the devices flagged by the researchers did not meet that threshold. Victure did not immediately respond to a request for comment. The NCC Group-Which? team said they tried to contact the various vendors of the vulnerable smart doorbells, with mixed success. The unnamed vendor of one device, for example, removed an online listing for the product after the researchers shared their findings.
Re: (Score:2)
Less shocking and more incendiary [slashdot.org], really.
Re:Shocker... (Score:5, Interesting)
Dumbass Doorbells (Score:3, Funny)
For dumbasses. I see absolutely no issue.
Seems like an opportunity (Score:2)
Would be really nice to see some smaller American manufacturer producing wireless doorbell units, you'd have to think it could be powerful marketing saying the products were made in the U.S. and your data would stay there also...
Re:Seems like an opportunity (Score:4, Informative)
I'd prefer my doorbell data to stay "in house", TYVM.
Re: (Score:3)
There are smart doorbells that are local only.
There might be a market for IoT safe routers as well. Create two wifi networks, one for general use and one for IoT. The IoT one is locked down and has no internet access.
Re:Seems like an opportunity (Score:5, Interesting)
People would see the price was 2x compared with similar doorbells and not even think about the data the things could collect. Even if it were marketed as privacy respecting (being made in the USA doesn't imply that), most people probably wouldn't pay attention long enough to recognize the risk.
You could probably physically grab doorbell customers and force them to hear you say that the doorbell they were about to buy would send their unencrypted username and password to a server in China and they would buy it anyway, because they don't fundamentally understand what that entails. Millions and millions of people use Facebook every day, and while we geeks know that is stupid, no amount of our explaining the reality of it will get them to stop.
Re: (Score:2)
People would see the price was 2x compared with similar doorbells
Maybe we should try before saying it doesn't work?
I personally would love a doorbell/camera, but am utterly turned off my Ring and other similar cameras because of the external collection.
I'm not saying the market would be as big as something like Ring which has way more marketing and will be cheaper. I am just saying, I think there are enough people who don't want traffic leaving the house that there is a potentially viable market you could
Re: (Score:1)
People would see the price was 2x compared with similar doorbells
Maybe we should try before saying it doesn't work?
I personally would love a doorbell/camera, but am utterly turned off my Ring and other similar cameras because of the external collection.
You don't have to wait, there are lots of plans online for home made video doorbells -- stop by one of the forums where they are discussed, over $400 and I'm sure you can get someone to build you one. It's not going to look as polished as one of the commercial ones, and won't have any remote access since you don't want your data to leave the house.
I think there are enough people who don't want traffic leaving the house that there is a potentially viable market you could carve out alongside Ring.
Especially if you made use of newer Homekit features where video was encrypted... you could charge more and people would still pay,
So you want your "traffic never leaves the house" video doorbell to store your data in your iCloud account?
Re: (Score:3, Interesting)
You don't have to wait, there are lots of plans online for home made video doorbells
Which further indicates there is a market, since there a re obviously a lot of people who want something like that but lack time or ability to use plans to make one from scratch.
stop by one of the forums where they are discussed, over $400 and I'm sure you can get someone to build you one
Sounds like a lot of work just to get to the point to find someone you can pay to build you what you want, and even then would it work with
$500 (Score:3)
Well, Kendall, if you want one you can have one - $500.
As you may recall, I'm a career security professional with 25 years of experience securing network-connected devices. As it happens, my brother has a company that puts cameras on house, vehicles, and commercial buildings. So between the two of us you can have the most secure internet-connected camera ever. Actually let's knock the price down to $499. :)
Re: (Score:2)
A) Only motion triggered events are stored in iCloud.
Perhaps I'm stupid, but do not understand how "data never leaving the house" reconciles with "only motion triggered events are stored in iCloud." Maybe I'll go get a cup of coffee and see if I can sort that out.
Re: (Score:2)
Look for one having the ONVIF protocol and connect it to your own video recorder device. Then you can just block all network traffic and collect your own video without any fees.
The next question of course is do you need external access to your own security system, and that has definite security tradeoffs. Choose wisely.
I guess we should call them... (Score:3)
Good (Score:3)
If the hackers see a thief or something they'll call the cops. That's like having your own sentinel for the low price of smart doorbell.
If only (Score:1)
This is what guest networks are for! (Score:2, Interesting)
Re: (Score:3)
Yes, but you'd still have to worry who was doing what with the data once it left your guest network/vLAN. Nobody really knows what happens to their video and audio data once it leaves their network and gets stored/shared by unknown entities.
Even Apple is in the news lately for being mostly secure, except if you enable iCloud backups, they can decrypt your data if needed [theverge.com].
Re: (Score:3)
ICloud backups are not encrypted. Apple will give law enforcement all your iCloud data upon lawful request (e.g. warrant). That's why iCloud backups do not include your keychain on purpose so a law enforcement order will not give up your account passwords.
In fact, iOS won't back up passwords except in an encrypted iTunes backup Even a regular iTunes backup won't do it because
Re: (Score:1)
Buy IoT that only needs internet and not LAN and put it on vLAN or guest network and stop worrying. You'd have to be a fool to think that stuff was secure for real or that it will get the long term security updates it would need to be a true secure networking device. THAT being the case simple consumer electronics will mostly always have to be compartmentalized to reduce risk.
Compartmentalization and risk mitigation are basically my job now, so I totally get that. What I don't understand, is why people assume their IoT "stuff" doesn't deserve to be put on your most secure network, which "Guest" networks (you know, the ones where the SSID is the cats name, and the password is posted on social media to make it easier for Guests) are usually nowhere near as secure.
You'd have to be a fool to assume our IoT "stuff" these days isn't a hell of a lot more damaging and life-threatening
Re:This is what guest networks are for! (Score:4, Insightful)
Why do smart doorbells need the internet? We used to have security cameras around the house and we recorded them to a computer that sat in the back room that had no external access and could only be gotten to via sitting down in the chair in that room. I don't understand the point of putting that type of info on the internet.
Re: (Score:2)
Explain Need for Company to Know Who Comes By (Score:2, Insightful)
Please clarify (Score:5, Insightful)
Are they talking about previously unknown security vulnerabilities, or the ones which were designed in as part of the service's specifications?
Euphemism (Score:4, Interesting)
And who needs a "smart" doorbell anyway? If you are not home, you are not home.
Don't worry - The Jehovah's witnesses will be back next week.