Today Consumer Reports (CR) published a story about a collection of connected video doorbell products that contain significant security vulnerabilities. These products are still available on major e-commerce platforms such as Amazon, Walmart.com, and Shien. Here, we’re sharing the vulnerability reports describing the potential attack vectors and a little about how this story happened.
The Investigation
In early January, Steve Blair and David Della Rocca, privacy and test engineers with CR, shared the details on two insecure doorbells that they were testing, which were purchased from Amazon. These products were seemingly popular, and one carried the Amazon Choice badge, which is a badge that Amazon bestows on products that have good ratings, a good price, and are available to ship quickly. Amazon bestows this badge using an algorithm, but as we discovered these products are not a good choice because they are terribly insecure.
The Findings
We found four issues with these doorbells during our regular testing. The first was that user data was transmitted over the air in plain text, including the user’s IP address, the SSID of the WiFi network the product is on, and other information. The second issue is that these doorbells are incredibly easy to take over once they are installed. As detailed in the vulnerability report it only takes a button press to reset the doorbell and bring it over to a new WiFi network.
For the article, I performed this particular hack in less than a minute using my phone. I then used my access to the doorbell to get the serial number, which we needed to showcase the third vulnerability. This vulnerability allows someone with the serial number to use that information to pull still images from the camera off the cloud server. This is really bad because the user can still retain control of their camera and an attacker could randomly pull this image data without the user knowing.
And finally, these devices do not have an FCC ID number on their product which makes them illegal to sell in the United States. In the U.S. wireless devices have to undergo product testing to ensure that their radios don’t interfere with other wireless devices or cause harm. While these products do have an FCC ID and were tested for compliance, they don’t include the necessary proof of that on the product.
Our Recommendation
We’re sharing our vulnerability reports detailing how these doorbells fail at a basic security level. We recommend that if you have these products that you uninstall them, and we’re calling on the Federal Trade Commission to remove these doorbells from the marketplace and for the platforms that sell these products to do a better job vetting the products available on their sites. Because when it comes to cybersecurity, consumers can’t see the risks until it’s too late.