News -

Smart doorbells – delivering the security you expect?

2020 has been the year of staying home, so it makes sense that we invest in the latest tech to keep it connected and running smoothly. Smart TVs, plugs, toys, cameras and doorbells are all being used to streamline our daily lives, but how secure are these devices?

For a long time, NCC Group has been committed to researching the security of the IoT ecosystem, not just for devices used within homes, but also across our workplaces, to understand the risks we’re facing as an increasingly connected society.

Over the last year, our researchers have been working closely with independent UK consumer body, Which?, to delve into the security of smart consumer devices that are being used across our homes. In October, we released research into smart plugs which uncovered 13 security and safety issues across nine devices.

Since then, we’ve seen vendors rollout fixes and marketplaces take down affected products – a great result and the driver for research like this, but there’s always more to be done. This is why we decided to look at the risks that eleven smart doorbells from lesser-known brands could pose to consumer security…

Findings: a digital spy-hole for cyber criminals?

During our assessment, we uncovered a wide variety of security issues relating to the hardware, associated mobile applications and the cloud servers which streamed and transferred data collected through the doorbells.

This included issues with the doorbell’s insecure built-in Wi-Fi, which could leave sensitive information, such as credentials viewable in plaintext, to a remote attacker. Another device was vulnerable to KRACK – a critical vulnerability, which could allow an attacker to break the WPA-2 security on a Wi-Fi router, gaining access to their network.

However, the most worrying vulnerability we uncovered was related to the cloud servers and services used to transfer and store the data collected through the doorbells. From our assessment, we were able to identify several devices which connected to cloud-based servers outside of the UK and Europe, which can pose a big risk to consumer data.

In some cases, data streamed via or stored in servers in these locations included location data, photos, audio, video, email addresses and credentials such as usernames, passwords and Wi-Fi authentication details.

Who’s responsible for IoT security?

Speaking on this research Matt Lewis, research director at NCC Group said: "Our findings could cause issues for consumers and are indicative of a wider culture that favors shortcuts over security in the manufacturing process.

"However, we are hopeful that a much-anticipated IoT legislation will signal a watershed moment for IoT security. Until this comes into fruition, we must continue to work together to highlight the need for basic security by design principles, and educate consumers about the risks and what they can to protect themselves."

But what can manufacturers do to address these issues while we await legislation that will set the bar for security across all IoT devices?

Our researchers highlighted a number of recommendations, including:

  • Use modern and secure encryption – to prevent eavesdropping and to protect the integrity of data, encryption should be mandatory across all doorbells, mobile application storage and communication. This should include the data saved on the SD card or transferred between the doorbell and mobile application themselves, or over the public internet to the related cloud-based servers.
  • Eliminate undocumented features – this would also prevent many of the issues we identified in this research. To put it simply, if a feature is not documented, it is of immediate interest to an attacker as it could be vulnerable and serve as a backdoor into the wider network.
  • Enforce access control measures across all components – this will ensure that requests can only be performed as an authorised user or device owner.
  • Provide adequate anti-tamper protection – When any hardware is outside a building, there is a risk of the device being unmounted from its bracket and stolen. Therefore, it’s important that manufacturers work in adequate tamper protection to reduce the risk of theft as far as possible.

What can consumers do to protect themselves?

As we draw closer to the holiday season, more and more consumers will be looking for the latest IoT products for their homes, families and friends, but it’s important to remain vigilant when making these purchases.

If you’re unsure about what you need to be looking for, we have a handy guide on the simple things you can do to ensure you’re purchasing a device that will keep your information safe and secure, as well as mitigations you can put in place across your home and devices.

You can read the Which? article here: https://www.which.co.uk/news/2020/11/the-smart-video-doorbells-letting-hackers-into-your-home/

Topics

  • Technology, general

Contacts

NCC Group Press Office

Press contact All media enquires relating to NCC Group plc +44 7721577574

Related media

Related content

Lights out for smart plugs? 

Many of us will be well aware of the security risks that connected devices can pose to our personal security, but what about the security of the smart plugs that help bring our connected homes together?

Lights, camera, what about security?

Nearly two weeks ago, we released a technical advisory detailing how the TP-Link C200 IP camera could be exposed to the infamous Heartbleed bug. Today, Dale Pavey has released a full blog which delves into discoveries he made while assessing the security of popular Internet Protocol (IP) cameras.

Looking back to look forward: predictions for 2021

​With the new year just around the corner, we decided to stop and take stock of how legislative measures and cyber security research have advanced to keep pace with the rapidly evolving cyber landscape. To start this process, we’re looking back at some of our most recent predictions to see how they’ve progressed and whether our research is contributing to making the world safer and more secure.

Honeypot research reveals the connected life might not be so sweet

Smart TVs, fridges, toothbrushes, heating, plugs, cameras, kettles – these are just a few of the connected devices that have made their way into our homes. But what are the security implications of introducing more of these smart devices into our homes? Our latest research with Which? and the Global Cyber Alliance delves into this.

UK government announces plans for new IoT security law

Today, the UK government's Department for Digital, Culture, Media and Sport (DCMS) has published its response to its call for evidence seeking feedback on proposals to regulate the cyber security of consumer smart products. Our global CTO, Ollie Whitehouse, responds to this announcement in this post.

Are dash cam users en-route to security risks?

We rely on dash cams to continuously record events that happen on the road, and to provide evidence in the event of road traffic incidents or accidents. But can we trust them to keep our data safe and secure? In our latest research with Which?, we put nine devices to the test and uncovered a number of issues.

Enter your email address to follow NCC Group Newsroom

When you choose to create a user account and follow a newsroom your personal data will be used by us and the owner of the newsroom, for you to receive news and updates according to your subscription settings.

To learn more about this, please read our Privacy Policy, which applies to our use of your personal data, and our Privacy Policy for Contacts, which applies to the use of your personal data by the owner of the newsroom you follow.

Please note that our Terms of Use apply to all use of our services.

You can withdraw your consent at any time by unsubscribing or deleting your account.
Check your inbox

Email sent to __email__. Click the link there to follow NCC Group Newsroom.

Okay