Many of the smart video doorbells on the market harbor severe vulnerabilities and physical weaknesses, a report by NCC Group and Which? found.
Smart video doorbells fill a particular niche in the IoT segment. And, while they don’t really fulfill some must-have functions, they usually come with many problems. If you’re a US citizen, police might access your doorbell footage or live feed. Similar products from around the world have exposed recorded videos or allowed attackers to take control.
Once you install a video doorbell, there’s no escape from a simple fact — controlling where and how the data is stored becomes a struggle that regular users find difficult to overcome. What makes the situation even worse is that the IoT and video doorbell industries are poorly regulated, and some companies just do as they please.
The NCC Group and Which? study looked at 11 smart doorbells found in various online marketplaces. While only a few are from well-known brands, many are available on Amazon, eBay and Wish. Their main advantage is price, but that’s where it stops.
For example, the researchers found that the hardware of the Victure VD300 sends the Wi-Fi name and password to servers in China unencrypted. Moreover, customers can find identical but unbranded copies on various other websites.
Another popular doorbell, the Qihoo 360 D819, allowed attackers to detach it from the wall, reset it and sell it as new. The recordings themselves are stored unencrypted.
As for the other models, some of the more common vulnerabilities included susceptibility to KRACK (Key Reinstallation AttaCKs), lack of data encryption, excessive data collection and poor security policies.
The only way to properly secure the marketplace is to implement IoT security guidelines, which are only now in the process of deployment. It will take a few years for the market to comply fully.