Homeowners who purchase budget versions of popular smart doorbells could be leaving their homes vulnerable to criminals.
Households hoping to tighten security are actually at risk of installing devices that can be easily switched off, stolen or hacked, research has found.
The i newsletter latest news and analysis
Consumer group Which? and cyber security experts NCC Group performed tests on a variety of smart doorbells available via Amazon Marketplace and eBay, some of which closely resembled in-demand models such as Amazon Ring or Google Nest, to check for any vulnerabilities.
They discovered a host of flaws that can enable cybercriminals to access users’ sensitive data. Issues identified included weak password policies, a lack of data encryption and an excessive collection of customers’ private information.
Some of faults allowed criminals to physically remove the doorbell, or made it easy for an intruder to switch off the device, Which? said.
Of the 11 devices tested, two – manufactured by little-known brands named Victure and Ctronics – possessed a “critical vulnerability” that could allow cybercriminals to steal the network password and use that to hack not only the doorbells and the router, but also any other smart devices in the home, such as a thermostat, camera or potentially even a laptop, the group warned.
The Victure Smart Video Doorbell, labelled on Amazon as the number one bestseller in “door viewers”, was found to send customers’ home WiFi name and password unencrypted to servers in China. If stolen, this data could allow a hacker to access people’s home WiFi – enabling them to target their private data, and any other smart devices they own.
A doorbell from Ctronics available on Amazon and endorsed with the Amazon’s Choice logo appeared virtually identical to the Victure. The researchers determined it was a “near exact clone”, with the same data encryption vulnerabilities.
The researchers also found several of the doorbells came with weak and easy-to-guess default passwords. It is common for less tech-savvy consumers to leave the default passwords their gadgets come with unchanged, potentially exposing them to hackers.
Use of default passwords would be illegal under proposed Government legislation aimed at tightening security forall consumer smart devices sold in the UK.
Amazon said: “We require all products offered in our store to comply with applicable laws and regulations and have developed industry-leading tools to prevent unsafe or non-compliant products from being listed.”
Ebay said: “When a product is listed that violates our safety standards, we remove the listing straight away. These listings do not violate our safety standards but represent technical product issues that should be addressed with the seller or manufacturer.”
Victure and Ctronics could not be reached for comment.
Get your CompTIA A+, Network+ White Hat-Hacker, Certified Web Intelligence Analyst and more starting at $35 a month. Click here for more details.