Doorbell Security. PHOTO:

Consumer Reports On (Un)Safe Video Doorbells

Home security products for the holidays

David Braue

Melbourne, Australia – Dec. 2, 2021

Thinking of putting some smart home security gadgets under the tree this Christmas? Choose carefully, warns Daniel Wroclawski — or you could end up giving your loved ones little more than a fancily packaged data breach.

Many of the most popular video doorbells and home security cameras have intrinsic security vulnerabilities that could make them unintended conduits for cybercriminals to breach network security, Consumer Reports has warned after extensive testing of 13 popular devices found 11 different security vulnerabilities within four of them.

The vulnerable devices — which include a Bosma video doorbell and security camera, Eufy video doorbell, and Nooie Cam Doorbell — were pitted against rivals from Arlo, Blink, Logitech, Netatmo, Ring, and Wyze.

The three manufacturers found most wanting when it comes to security are all startups, Daniel Wroclawski, home and appliances writer with the consumer rights advocate, told Cybercrime Magazine.

“On the one hand, it’s good that we didn’t find any vulnerabilities in big-name products,” he said, “and that’s what most people tend to buy. But people are still drawn to these lesser-known product, because they tend to be more affordable. And in this case, this is a problem.”

The security testers do share their findings with manufacturers and all had been receptive to the information, promising to fix the vulnerabilities quickly — but the bigger concern, Wroclawski said, is that many consumers buy gadgets without realising they are opening up a potential conduit for personal information that could be exploited for a range of purposes.

Cybercrime Radio: BBB On Smart Home Device Security

Listen and be safe this holiday season

“There are definite issues that can snowball from this data being hacked,” he said, noting that cybercriminals have become well-versed in cross-matching databases of hacked passwords and using them to drive credential-stuffing attacks that could open the door to breaches of sensitive business or home systems.

Access to home WiFi passwords could open up a home network to attackers that could move laterally to compromise other connected computers and devices — potentially stealing sensitive files, financial records, or other personal information.

And while some of the manufacturers rated highly in protecting the devices from outside hackers, none of the devices tested scored excellent or very good data when it comes to data privacy — assessment of which included careful readings of often-labyrinthine privacy policies and mandatory arbitration clauses that prevent consumers from suing companies for vulnerabilities.

“Every manufacturer, regardless of whether it’s a security camera or a refrigerator or a car, says they’re collecting data to improve the product,” Wroclawski said.

“And I’m sure that’s true to a certain degree, but at the same time they are also potentially selling that data to advertising agencies or data collection firms. There certainly are good intentions, but from a consumer perspective there are also not-so-great intentions.”

Addressing a chronic problem

It’s not the first time Consumer Reports has found security and privacy issues in digital doorbells: similar testing last year found issues with five out of 24 models tested, with only Eufy making the list in both years.

The decision to test the doorbells came as the increasingly popular devices could give outside observers detailed information about a target’s comings and goings — allowing them to establish a routine that might, for example, help them figure out the best time to rob the target’s home.

Previous testing of home security cameras has revealed so many vulnerabilities — such as September’s critical vulnerability affecting millions of Hikvision surveillance cameras, or the manipulation of Amazon’s Alexa-powered devices — that the industry has converged around The Digital Standard, Consumer Reports’ open-source methodology for testing home devices.

“We’re living in this world where more and more products have connectivity,” said Wroclawski, who is currently using the standard — which scores devices against a list of more than 70 different factors — to test connected home appliances like refrigerators, washing machines, and dishwashers.

“Those are all things that we have ingrained expectations of how they behave,” he said, “and connectivity throws those expectations out the window.”

Consumers’ expectations certainly don’t include the likelihood of having their privacy or home security breached — but with Internet of Things (IoT) devices recognised as chronically insecure, buying such devices for the holidays truly is a case of caveat emptor.

Many buyers don’t give appliances’ smart features much thought, although Wroclawski noted that “if it’s something that has a camera in it, people are much more concerned about that. Whereas if it’s something like a washing machine, they’re not as concerned — and they often won’t connect the product, so they don’t have to worry about their privacy and security.”

Others, however, are still oblivious to the risks of poorly secured devices — something that Wroclawski admitted is “a little disheartening.”

“If they do [connect their products] they are potentially opening themselves to a Pandora’s Box situation,” he said. “We do find a lot of people don’t care as much, but it does seem like the tides are turning as people become more and more aware of what companies can do with all this data.”

“It’s really kind of a mess — but as that picture becomes clearer, I think people will care more.”

– David Braue is an award-winning technology writer based in Melbourne, Australia.

Go here to read all of David’s Cybercrime Magazine articles.