The consumer rights campaign group Which? wants to see online marketplaces and retailers taking more responsibility for the safety and security of the products sold on their sites, regardless of whether the seller is a third-party, after testing video doorbells and finding vulnerabilities.
Which? tested unbranded doorbells, or products from brands little known outside of online marketplaces. Some of the doorbells were sending wi-fi account and password data unencrypted to Chinese servers. This means hackers could get access to this data and use it to infiltrate other devices.
Some products tested had a basic default password, that would take a hacker seconds to suss out. They were also too easy to reset to the default password in some cases meaning someone could hack in. One product, Which? said criminals could detach from the wall with a standard Sim-card ejector tool, as included with smartphones. It can then be reset and sold on.
While Which? acknowledges upcoming law about IoT devices, the campaign group wants it to be backed by enforcement, and for the chosen enforcement body to have the power to suspend, and ban from sale, or recall non-compliant products.
The consumer advice group tested 11 doorbells found on eBay and Amazon, many of which had scores of five-star reviews, were recommended as ‘Amazon’s Choice’, or on the best-seller list. One was labelled as the number one bestseller in ‘door viewers’. The testers from cyber firm NCC Group found vulnerabilities in all 11.
Amazon said: ‘We require all products offered in our store to comply with applicable laws and regulations and have developed industry-leading tools to prevent unsafe or non-compliant products from being listed in our stores.’
And eBay said: ‘When a product is listed that violates our safety standards, we remove the listing straight away. These listings do not violate our safety standards but represent technical product issues that should be addressed with the seller or manufacturer. We have and will continue to facilitate discussions between Which? and the sellers so the concerns can be addressed.’
Read more at https://www.which.co.uk/.
Comments
Dr Kiri Addison, Head of Data Science, Threat Intelligence at cybersecurity firm Mimecast, said: “We are continuing to see IoT products grow in popularity, with more and more of the UK public having devices inside their home. Smart video doorbells are one of the latest trends, with many consumers using them for both security and convenience. Despite this popularity, there is too often a lack of education around the security issues that these devices can present. It is now widely known that many IoT devices, such as smart cameras, lack basic security and are vulnerable to hacking, and we have all seen the news stories surrounding this.
“This has become even more pressing with more employees working from home, which could lead to more IoT devices connecting to corporate networks and providing a way in for hackers. Whilst consumers do need to ensure they are following basic cyber-hygiene practices, including regular updates and changing the password, the spotlight should be on the manufacturers of these so-called security devices.”
David Emm, Principal Security Researcher at Kaspersky, said: “The ongoing development of smart doorbells has introduced a new wave of cybersecurity risks. With research today showing flaws in the common models that people are purchasing and installing in their homes, namely around weak password policies and lack of data encryption, these seemingly harmless devices could become literal keys to peoples’ lives.
“If hacked, the doorbells could give criminals access to entire home networks and other smart devices, which hold huge swathes of potentially sensitive information. Or more simply, the criminals could seize control and switch off the device, which could leave houses vulnerable to intruders. Pending the UK government’s proposed legislation on the security of connected devices, device manufacturers should protect their customers by adhering to the UK government’s code of practice for IoT security.”
