Millions at Risk of Hacking


Consumer Reports exposes security vulnerabilities in popular video doorbells allowing unauthorized access, stolen footage, and privacy risks. Learn how to protect your home from insecure devices.

The video doorbell market has been flooded with a wide variety of brands, devices, versions, and sellers, making it difficult for buyers to find safe and reliable products. To make it more complicated, according to a report by Consumer Reports (CR), these devices lack basic access controls in network traffic enabling strangers to freely access private video thumbnails.

Investigation

As per CR’s investigation, significant security vulnerabilities were identified in video doorbells potentially allowing attackers to gain unauthorized access to video footage, control doorbell functions, or even steal personal information.

It all started when a CR journalist received an email with grainy images of herself waving at a doorbell camera, sent by CR privacy and security test engineer Steve Blair after hacking into the doorbell from 2,923 miles away.

Millions at Risk of Hacking
Screenshot credit: Consumer Reports

Blair and fellow test engineer Della Rocca probed further and discovered security flaws in cheap, insecure electronics from Chinese manufacturers sold on online marketplaces like Amazon, Walmart, Sears, and Shein. 

The doorbells lacked a visible ID issued by the Federal Communications Commission (FCC), making them illegal to be distributed in the U.S. The researchers discovered security issues in video doorbells sold under Eken and Tuck brands, with at least 10 similar devices and all analyzed doorbells being controlled through an Eken-owned mobile app, Aiwit. Two products, sold under Fishbot and Rakeblue brands, showed similar vulnerabilities. 

Eken and Tuck are strong sellers, with multiple listings on Amazon generating over 4,200 sales in January 2024 alone. The doorbells are also available on Walmart.com, sears.com, and global marketplaces Shein and Temu under different names like Andoe, Gemee, and Luckwolf.

Potential Dangers

Anyone with physical access can hijack the doorbell without needing advanced tools or hacking skills. They only have to download the app and pair the device to their phone to view the camera’s video feed indefinitely.

Threat actors can control doorbells to monitor family members’ movements and expose their IP addresses and WiFi network names without encryption. Poor security on company servers storing videos may further increase threats. The Aiwit smartphone app can pair doorbells with WiFi hotspots, allowing people to access video feeds without passwords or accounts. Stalkers/adversaries can identify device serial numbers and access still images from the video feed even if the original owner regains device control.

Justin Brookman, director of technology policy for CR, suggests that e-commerce platforms, particularly big names like Amazon, should take responsibility for the harm caused by their products. Eken, Tuck, Amazon, Walmart, Sears, Shein, Temu, and the Federal Trade Commission have been notified about the issues by CR.

Temu has now removed all doorbells made by Eken and its app from its website and Walmart stated items not meeting safety, reliability, and compliance standards will be removed and blocked, but CR found “similar-looking” doorbells still available on these platforms. Amazon, Sears, and Shein are yet to respond.

How to secure your doorbell camera?

Although, 100% security is a myth, here are some steps you can take to make sure your doorbell is protected from hackers and spying by third parties:

Choose a Reputable Brand:

  • Avoid unbranded or cheap video doorbells, especially those from unfamiliar manufacturers.
  • Look for established security companies or well-known brands with a history of prioritizing security.

Check for Security Features:

  • Make sure your doorbell uses strong encryption for video transmission and storage.
  • Look for features like two-factor authentication (2FA) for logins and activity alerts.

Secure Your Wi-Fi Network:

  • Use a strong password for your Wi-Fi network and enable encryption (WPA2 or WPA3).
  • Consider creating a separate guest network for devices like your doorbell, keeping it isolated from your main network with sensitive data.

Manage App Permissions:

  • Only grant the doorbell app the minimum permissions necessary, like access to the camera and microphone.
  • Avoid apps from unknown developers and stick to official ones from the manufacturer.

Keep Firmware Updated:

  • Regularly update your doorbell’s firmware to ensure you have the latest security patches and bug fixes.
  • Enable automatic updates if available to stay protected.

Monitor Activity:

  • Be aware of who has access to your doorbell and monitor activity logs.
  • Look for any suspicious login attempts or unusual activity.

Consider Privacy Settings:

  • Adjust your doorbell’s privacy settings to control what areas are recorded and how long footage is stored.
  • Disable features you don’t need, like motion detection in public areas.
  • FCC ID: Look for a visible FCC ID on your doorbell. Devices without it might be illegal and lack proper security measures.
  • Physical Security: Make sure your doorbell is physically secure and can’t be easily tampered with.
  1. Vietnamese Group Hacks and Sells Bedroom Camera Footage
  2. Hacked Ring Cameras Used in Livestreaming Swatting Attacks
  3. 3TB of clips from exposed home security cameras posted online
  4. Whitehat hacker: How to detect hidden cameras in Airbnb, hotels
  5. Wyze Cameras Glitch: 13K Users Saw Footage from Others’ Homes
  6. Israeli Rabbi Arrested for CCTV Hacking at Women’s Swimwear Store





Source link