Since the day that the smart doorbell arrived on an episode of Shark Tank, it’s been getting more and more popular among businesses, both large and small. Incredibly, you can visibly see someone ringing in and requesting access to your building, and what’s even more impressive is that you can talk to them from either a PC in the office or even a mobile device if you’re not there.
However, in recent months, along with all of the cyberattacks going on, the NCC Group has provided a report to show that all of these smart doorbells have numerous cybersecurity flaws that allow them to be hacked and taken advantage of. The range of security threats includes code in the actual app, authentication problems, and even devices sent to consumers and businesses without having critical patches or firmware updates applied.
Table of Contents
What Should I Do if I Have a Smart Doorbell?
If you have a smart doorbell that may or may not be secure, the best thing to do is call a professional.
First, you need to know just what vulnerabilities your smart doorbell may have. Some have undocumented things that haven’t been posted but pose a severe threat to hackers exploiting them. Other things are connected to malware-implanted apps and even security holes and bugs in their mobile applications – or even duplicate apps – that allow a hacker to access the doorbell at any point and time. Whatever you choose to do, don’t panic and call a professional.
What Devices Are Affected?
With so many smart doorbells on the market, we were bound to find some duds, but we never expected to see this many.
Some models have already been carefully studied, and they’re working on looking into more models and brands. Here are some that have been examined and proven to have security flaws:
- Victure VD300
- Accfly Smart Video Doorbell V5
- Qihoo 360 D819 Smart Doorbell
- Smart WiFi Doorbell (using hardware from YinXn – a popular digital third-party manufacturer).
- XF-IP007H doorbell. There are a lot of brands, ranging from Extaum, Docooler, and Tickas.
The group tested all of these smart doorbells, and they are sold at reasonable prices everywhere online, from Amazon to Walmart and other online stores (like Target, Best Buy, NewEgg, and more). Most of these devices were just clones of the original Victure model, which already had security issues.
Issues that the Doorbells May Have
Like any IoT device, a smart doorbell must be set up correctly and securely. Failure to do so could spell disaster for your home or business.
One issue that the companies or manufacturers didn’t document that the NCC Group found was that the bells – particularly the Qihoo smart doorbells– could provide DNS service that could lead to a DNS channel for the delivery of malware and other viruses. It allows a back door on a dedicated but unknown DNS channel for cyber attackers.
The Victure models also have an HTTP service that ended up running on port 80, broadcasting like a web page. While the credentials are needed to log into the device, these could quickly be taken from another unbranded device that was essentially a clone (that appears to be almost all of them). By doing so, Wi-Fi usernames and passwords are stored in the machines and can be extracted.
Mobile Not-So-Friendly
Leaving your smart doorbell unsecured is worse than leaving your door open after you’ve closed up shop for the day.
Another thing that the hackers can do is use the HTTP port and exploit the fact that HTTPS isn’t used on these devices. This can allow them to use what’s known as lock picking by using mobile apps to control them. This will enable hackers to lock users out of the “backend” on the mobile apps and abuse their QR code exploits.
Hardware Problems Galore
If you’re unsure how to properly install a smart doorbell or if it comes with a janky setup, you might want to call in some reinforcements. Having professionals will not only make you more secure, but you’ll also have peace of mind.
Another thing that they looked into is that the hardware itself isn’t mounted very securely. When it comes to hackers wanting to gain access to a building or even attempting to hack or insert malware, they can easily take the device off a building.
Many of them are just screwed on, and a person can steal the doorbell in the blink of an eye – and insert their device into it (or tamper with the one they just stole). Once this is done, the firmware is at extreme risk – except for one model with an alarm system that would sound using a pressure trigger that provided some tamper resistance.
So What Am I Supposed to Do if I Have a Smart Doorbell?
Before messing with any IoT devices, you should have an efficient backup solution available if something goes wrong. Preparing for a disaster can save you thousands if anything happens.
As pointed out, you must have everything completely secure regarding your company’s network with security threats. You need to have a solid backup solution, IT training for your employees, and, even more importantly, a secure backend that will keep hackers out even if they can get into your system via your smart doorbell. Or, you could always ensure that your brand is up to date with the latest security patches and isn’t just a knockoff of those marked as vulnerable.
You could also always opt into having a manual doorbell or intercom doorbell system installed on a landline, as it’s proving that the “old ways” were more secure than some of the latest conveniences. Ask your managed service provider about the options they can give you regarding these items.
Recent Comments