After months of lockdown and social distancing due to the virus pandemic, Americans have greatly had their work environments shifted from commercial spaces to the home, and their shopping habits have migrated to e-commerce.
Staying at home, led to a massive home improvement wave in spring through summer. Many folks remodeled or just simply updated the technology in their homes to fit their new at-home lifestyle.
In particular, one update was smart home security systems, including smart doorbells featuring microphones and cameras sold on Amazon and eBay.
While these smart doorbells have made millions of Americans’ lives easier this year – there’s a huge problem – that is – many of these devices come with numerous security vulnerabilities, according to CyberScoop, citing a new report from U.K.-based security company NCC Group.
“One flaw could allow a remote attacker to break into the wireless network by swiping login credentials. Another critical bug, which has been around for years, could enable attackers to intercept and manipulate data on the network,” CyberScoop said.
NCC found that eleven smart doorbells sold on Amazon and eBay “raised concerns that some of the devices were storing sensitive data, including location data and audio and video captured by the doorbell’s camera, on insecure servers,” said CyberScoop.
Amazon released a statement about the compromised smart doorbells sold on its website – indicating it “requires products sold on its site to be compliant with applicable laws and regulations, and that it has tools to detect “unsafe or non-compliant products from being listed in our stores.”
In a statement, eBay said the listings of the compromised smart doorbells flagged by NCC researchers did not meet the company’s threshold for removal.
One of the devices in question is made by a company called Victure, which sells smart doorbells on Amazon. Researchers said the Victure sends the user’s wireless name and password, unencrypted, to Chinese servers.
Other smart doorbells with security issues include the Qihoo 360 D819 Smart Video Doorbell, Ctronics CT-WDB02 Wireless Video Doorbell, and Unbranded V5 Wifi Ring Doorbell.
NCC Group research director Matt Lewis said the findings of all these compromised doorbells point to “a wider culture that favors shortcuts over security in the manufacturing process.”
CyberScoop has also found that certain home-networking devices from routers to webcams suffer from significant security vulnerabilities.
Last week, Congress passed a meaningful cybersecurity bill that would set security requirements for the Internet of Things vendors that work with the government.
“It is arguably the most significant U.S. IoT-specific cybersecurity law to date, as well as the most significant law promoting coordinated vulnerability disclosure in the private sector to date,” said Harley Geiger, director of public policy at Rapid7, a cybersecurity company.
For now, readers should probably avoid purchasing the smart doorbell devices mentioned above.