Smart doorbells sold for enticingly low prices on online marketplaces can be easily switched off, stolen or hacked by criminals, a Which? investigation has found.
Which? bought 11 smart doorbells, some of which looked very similar to Amazon Ring or Google Nest models, available from popular online marketplaces such as Amazon Marketplace and eBay.
Working with cyber security experts NCC Group, high-risk security issues were found among all of the doorbells, including two rated as critically vulnerable and a further nine rated as high impact.
Flaws included weak password policies, a lack of data encryption and an excessive collection of customers’ private information – all of which risk exposing sensitive data to cybercriminals.
Some of these flaws even enabled the physical theft of the doorbell or made it easy for an intruder to switch off the device.
The Qihoo 360 Smart Video Doorbell, which was available on Amazon, was easy to steal as criminals could simply detach it from the wall with a standard Sim-card ejector tool included with all smartphones. It can then be reset and sold on.
Two devices tested, by Victure and Ctronics, had a critical vulnerability that could allow cybercriminals to steal the network password and use that to hack not only the doorbells and the router, but also any other smart devices in the home, such as a thermostat, camera or potentially even a laptop.
The Victure Smart Video Doorbell, which Amazon labelled the number one bestseller in ‘door viewers’ and had a review score of 4.3 out of 5 from over 1,000 ratings, was found to send customers’ home WiFi name and password unencrypted to servers in China.
If stolen, this data could allow a hacker to access people’s home WiFi – enabling them to target their private data, and any other smart devices they own.
Which? was contacted by a customer who purchased the Victure doorbell and was concerned by the findings. After the seller of the Victure doorbell declined to give a refund, the consumer champion took the case directly to Amazon.
After Which? reported its findings, Amazon removed at least seven product listings and agreed to fully refund the Victure customer.
The consumer champion found another doorbell available on Amazon, by a brand called Ctronics. It was endorsed with the Amazon’s Choice logo and looked virtually identical to the Victure. After purchasing it and sending it to NCC Group, it was found to be a near exact clone, with the same firmware and data encryption vulnerabilities.
Which? believes that both these cases are in breach of the General Data Protection Regulation and has reported them to the Information Commissioner’s Office (ICO).
In one case, testers found a flaw with a doorbell sold on eBay that reverts the device to a ‘pairing’ stage. This takes it offline and could enable a criminal to seize control of it to steal the doorbell, or just stop it from recording while they burgle the customers’ home.
Which? reported its findings to eBay and it put Which? directly in touch with the seller of the smart doorbell, who then removed the listing.
Another device, bought from eBay and Amazon without any clear brand associated with it, was vulnerable to a critical exploit called KRACK. This is a vulnerability in the WiFi authentication process that would allow an attacker to break the WPA-2 security on someone’s home WiFi and so gain access to their network.
A large number of the doorbells tested use weak, default and easy-to-guess passwords. It is common for less security-conscious consumers to leave the default passwords unchanged on their equipment, potentially exposing them to hackers. Use of default passwords would be illegal under the new IoT legislation proposed by the UK government.
Which? wants this legislation to be backed by strong and effective enforcement and for the chosen enforcement body to ultimately have the power to suspend, permanently ban from sale or recall non-compliant products where necessary.
The consumer champion also wants to see online marketplaces and retailers taking more responsibility for the safety and security of the products sold on their sites, regardless of whether the seller is a third-party.
Kate Bevan, Which? Computing editor, said:
“Connected devices like smart doorbells bring potential benefits and convenience to our lives, but also significant risks if they are poorly made and sold without any safety checks or monitoring.
“Government legislation to tackle unsecure products should be introduced without delay and must be backed by an enforcement body with teeth that is able to crack down on these devices.
“For now, we would urge the public to buy smart doorbells from known and trusted tech brands rather than names you have never heard of before, otherwise they might find it is hackers that come calling to their home.”
Matt Lewis, research director at NCC Group, added:
“Our findings could cause issues for consumers and are indicative of a wider culture that favours shortcuts over security in the manufacturing process.
“However, we are hopeful that the much anticipated IoT legislation will signal a watershed moment in IoT security. Until this comes into fruition, we must continue to work together to highlight the need for basic security by design principles, and educate consumers about the risks and what they can do to protect themselves.”
How to stay safe while using smart kit
Beware of unknown brands – Buy from a reputable, well-known and trusted brand. Be cautious when the company that’s selling the smart product doesn’t have a website or any contact details. If you can’t find the brand online at all avoid it.
Check the reviews – Although the product might have hundreds or even thousands of glowing reviews, always read the negative ones, too. They can alert you to worrying issues with the product.
Change the password – When setting up a new device, change the default password to a more secure one. We recommend the ‘three random words’ method. See which.co.uk/securepasswords for more.
Install all updates – These software updates provide vital protections against security threats. Check the settings to set updates to run automatically. And also run updates on your phone app.
Enable two-factor authentication (2FA) – If available, two-factor authentication is a great way to add extra security. With 2FA enabled, you have to input a code that’s generated by an app on your phone or sent to you by SMS to confirm it’s you logging in. See computing.which.co.uk/hc/en-gb/articles/360000243980-What-is-two-factor-authentication-and-should-you-use-it-
Notes to editors
Which? worked with NCC Group to expertly test 11 smart doorbells for security and data privacy over September and October 2020.
The three security requirements for smart devices set to be brought into law are:
- Device passwords must be unique and not resettable to any universal factory setting;
- Manufacturers must provide a public point of contact so anyone can report a vulnerability;
- Information stating the minimum length of time for which the device will receive security updates must be provided to customers.
Rights of reply
“Data protection laws require the collection and use of personal data to be fair and transparent. Being clear with individuals about the use of their data, and providing options to control that data, are important matters for organisations to get right. If anyone has concerns about how their data has been handled, they can report these concerns to the ICO.”
“We require all products offered in our store to comply with applicable laws and regulations and have developed industry-leading tools to prevent unsafe or non-compliant products from being listed in our stores.”
“When a product is listed that violates our safety standards, we remove the listing straight away. These listings do not violate our safety standards but represent technical product issues that should be addressed with the seller or manufacturer.
“We have and will continue to facilitate discussions between Which? and the sellers so the concerns can be addressed.”
Which? tried to contact all the manufacturers, but could only find details for Accfly and Victure, who did not respond. We could not track down someone to contact for the other doorbells, as some had no branding at all. Instead, we contacted eBay and Amazon, where we had purchased the doorbells.