Could your smart doorbell be inviting thieves into your home?
The consumer group bought 11 smart doorbells, some of which looked very similar to Amazon Ring or Google Nest models, from online marketplaces such as Amazon Marketplace and eBay.
Working with cyber security experts NCC Group, high-risk security issues were found among all of the doorbells, including two rated as ‘critically vulnerable’ and a further nine rated as ‘high impact’.
Flaws included weak password policies, a lack of data encryption and an excessive collection of customers’ private information – all of which risk exposing sensitive data to cybercriminals.
Some of these flaws even enabled the physical theft of the doorbell or made it easy for an intruder to switch off the device.
The Qihoo 360 Smart Video Doorbell, which was available on Amazon, was easy to steal as criminals could simply detach it from the wall with a standard SIM-card ejector tool included with all smartphones.
Two devices tested, by Victure and Ctronics, had a critical vulnerability that could allow cybercriminals to steal the network password. The password could then be used to hack other smart devices in the home.
The Victure Smart Video Doorbell was found to send customers’ home Wi-Fi name and password unencrypted to servers in China. If stolen, this data could allow a hacker to access people’s home WiFi – enabling them to target their private data, and any other smart devices they own.
Kate Bevan, Which? Computing editor, said: “Connected devices like smart doorbells bring potential benefits and convenience to our lives, but also significant risks if they are poorly made and sold without any safety checks or monitoring.
“Government legislation to tackle unsecure products should be introduced without delay and must be backed by an enforcement body with teeth that is able to crack down on these devices.
“For now, we would urge the public to buy smart doorbells from known and trusted tech brands rather than names you have never heard of before, otherwise they might find it is hackers that come calling to their home.”
Matt Lewis, research director at NCC Group, said: “Our findings could cause issues for consumers and are indicative of a wider culture that favours shortcuts over security in the manufacturing process.
“However, we are hopeful that the much anticipated IoT legislation will signal a watershed moment in IoT security. Until this comes into fruition, we must continue to work together to highlight the need for basic security by design principles, and educate consumers about the risks and what they can do to protect themselves.”
How to stay safe while using smart kit
- Beware of unknown brands. Only buy smart devices from a reputable, well-known and trusted brand.
- Check the reviews. Although the product might have hundreds or even thousands of glowing reviews, always read the negative ones, too.
- Change the password. When setting up a new device, change the default password to a more secure one.
- Install all updates. These software updates provide vital protections against security threats. Check the settings to set updates to run automatically.
- Enable two-factor authentication (2FA). If available, two-factor authentication is a great way to add extra security. With 2FA enabled, you have to input a code that’s generated by an app on your phone or sent to you by SMS to confirm it’s you logging in.