Serious security flaws continue to crop up in connected video doorbells, but privacy and cyber issues are in actuality a widespread occurrence in the ongoing emergence of devices in the internet of things (loT).
As billions of devices (ABI Research, New York, predicts 23 billion by 2026) make their connections to sensors, detectors, cameras and a host of network devices and infrastructures, including smart cities and industry automation, threat vectors will rise exponentially and systems integrators will need to carefully vet products and take active safeguards to protect customers’ systems.
A November 2020 study conducted by U.K. consumer advocacy group Which? found vulnerabilities in popular smart doorbells, putting consumers at risk of being targeted by hackers inside their homes. According to the report, 11 smart doorbells purchased online and tested were found to have serious cybersecurity gaps and weaknesses.
With internet-connected smart tech on the rise, smart doorbells are a common sight on residential streets, according to the report. Popular models, such as Ring and Nest doorbells, are expensive, but scores of similar looking devices have popped up on Amazon, eBay and Wish at a fraction of the price, the researchers wrote. While products look similar and have comparable features, Which? and cybersecurity researchers from NCC Group, San Francisco, found extensive vulnerabilities among tested products.
“We tested 11 different doorbells found on eBay and Amazon, many of which had 5-star reviews and were recommended as ‘Amazon’s Choice,’ or on the bestseller list. One was labelled as the number one bestseller in ‘door viewers.’ We found vulnerabilities with every single one,” Which? said in their findings.
Vulnerabilities included unencrypted data communications to servers; unencrypted/unprotected storage of video and audio; Wi-Fi authentication issues and potential for KRACK (Key Reinstallation AttaCKs); excessive data collection; and weak password policies. Which? advised users to check reviews and product websites, set up two-factor authentication, change passwords and keep software updated.
Default passwords and insecure logins without two-factor authentication (two methods to verify the user) and open network paths still plague even professional security systems. Multiple class-action lawsuits have been filed against Ring and Amazon, with numerous reports of hackers infiltrating the company’s camera systems, according to Classaction.org, a legal advocacy group.
In addition, many surveillance cameras originating from China remain banned as part of a U.S. government blacklist of those manufacturers—placing them on an entity list. The entity list, part of the Export Administration Regulations (EAR), prohibits the purchase and installation of video surveillance equipment from these manufacturers and bars government agencies from accepting bids from contractors who use their equipment and services.
Private data and information at risk
“I don’t believe people understand the magnitude of the problem,” said Vince Crisler, founder and CEO of Dark Cubed, Alexandria, Va., and a former chief information security officer for the White House. “Two-factor authentication is required at a minimum. In addition, users need to pay attention to the apps they are using to access systems and the permissions the software is requesting—to pictures, files and locations. Some apps are subject to man-in-the-middle attacks. Application security is as important as the hardware, as well as where information is stored,” he said.
Dark Cubed is a security-as-a-service company that provides automated network protection solutions.
Crisler called it a national security issue, citing a burgeoning problem that encompasses DIY and professionally installed systems.
“One of the biggest challenges is that no one is championing loT security for the consumer,” he said. “In this whole, ever-complex world, who is caring for the consumer?”
He added that some retailers are taking steps to be more responsible with what they sell, doing their own vetting and buying specific brands focused on device security. Transparency is important and knowing exactly where products are originating from, which has become increasingly difficult.
In its white paper, “The State of loT Security 2021,” Dark Cubed assessed the mobile applications used to interact with devices, communications to and from the devices, and the infrastructure on which the devices reside.
“We have found that things are actually getting worse. We have more concerns now than ever related to three key issues (1.) the implementation of basic security engineering principles; (2.) fatal flaws resulting in the leaking of your most personal moments; and (3.) an increased role in the command and control of consumer IoT infrastructure in the United States by Chinese companies, surrogates, subsidiaries and an array of seemingly deliberately disguised enterprises,” Crisler wrote.
Consumers must demand accountability, he said, and should focus on functionality over cost.
“The government needs to take action to protect consumers and the manufacturing and retail industries need to increase transparency; it’s time for an independent oversight body in loT like Underwriters Laboratories,” he said.