Your Smart Doorbell Isn’t As Secure As You Think
November 24, 2020Smart devices are winning fans all over the world. We find them especially useful when coupled with our home appliances. This way, we gain remote access to our devices, which afford us an unbelievable sense of convenience. For example, instead of switching off our lights, one by one, a single voice command directed at a Google Nest, could switch everything off.
Taking this a step further, smart doorbells are able to alert us to the presence of people at our front door. And through the use of the in-built camera, we can view who it is with a mobile phone app. These connected devices provide a centralized way of managing our homes, even if we are miles away. But how secure are they?
The NCC Group, an entity comprised of global experts in cyber security and risk mitigation warn that said devices, though offer an amazing level of convenience, aren’t very secure. They say that smart doorbells use insecure WiFi, which leaves sensitive information clearly visible to remote attackers.
Some of them are also vulnerable to intrusion by hackers who are able exploit security flaws in the WPA-2 or WiFi router itself. These attackers could then gain access to your entire home network, including your computers and other smart devices. It’s a serious threat that the NCC group believe isn’t being taken seriously, because consumers favor convenience over security.
Speaking on this research Matt Lewis, research director at NCC Group said, “Our findings could cause issues for consumers and are indicative of a wider culture that favors shortcuts over security in the manufacturing process. However, we are hopeful that a much-anticipated IoT legislation will signal a watershed moment for IoT security.”
These are some of the NCC Group’s recommendation to Manufacturers:
Use modern and secure encryption – to prevent eavesdropping and to protect the integrity of data, encryption should be mandatory across all doorbells, mobile application storage and communication. This should include the data saved on the SD card or transferred between the doorbell and mobile application themselves, or over the public internet to the related cloud-based servers.
Eliminate undocumented features – this would also prevent many of the issues we identified in this research. To put it simply, if a feature is not documented, it is of immediate interest to an attacker as it could be vulnerable and serve as a backdoor into the wider network.
Enforce access control measures across all components – this will ensure that requests can only be performed as an authorized user or device owner.
Provide adequate anti-tamper protection – When any hardware is outside a building, there is a risk of the device being unmounted from its bracket and stolen. Therefore, it’s important that manufacturers work in adequate tamper protection to reduce the risk of theft as far as possible.