Investigation reveals device sector is problem plagued when it comes to security bugs.
Smart doorbells, designed to allow homeowners to keep an eye on unwanted and wanted visitors, can often cause more security harm than good compared to their analog door bolt alternatives. Consumer-grade digital doorbells are riddled with potential cybersecurity vulnerabilities ranging from hardcoded credentials, authentication issues and devices shipping with unpatched and longstanding critical bugs.
That fresh assessment comes from NCC Group, which published a report last week outlining “domestic IoT nightmares.” In partnership with the publication Which?, it assessed smart doorbell models made by three vendors Victure, Qihoo and Accfly along with white-box offerings from three additional doorbell makers.
“Overall the issues we have seen during this research have outlined a poor approach to developing secure IoT devices. There are still devices being developed, shipped and sold with an array of issues let alone these issue being cloned into knock-off, copycat devices,” wrote NCC Group’s co-authors of the report.The scope of the problems uncovered included undocumented features that, if known, could be exploited by hackers. Other issues found were tied to the mobile applications used to access the doorbells along with vulnerabilities in the hardware itself.
Noticeably absent from the analysis are the names of market-share leader Ring Video Doorbell and the handful other big players such as Nest, Vivint and Remo. Nevertheless, the study comes as a flood smart doorbells have been introduced into the consumer market feeding a robust appetite for the niche.
Smart doorbells lead the charge when it came to a 33 percent increase in smart home gadgets flooding U.S homes in 2020, according to Hub Entertainment Research. Thirty-nine percent of all U.S homes have a connected device.
Specific models examined were Victure’s VD300, Accfly’s Smart Video Doorbell V5 and Qihoo’s 360 D819 Smart Video Doorbell. Another doorbell device, identified only as “Smart WiFi Doorbell” and that used hardware from manufacture YinXx, was also examined. In addition, an unspecified “HD Wi-Fi Video Doorbell V5” model was tested.
Lastly, a smart doorbell identified only as XF-IP007H, was tested. A number of brands use “XF-IP007H” in their product names, including Extaum, Docooler and Tickas. These doorbells, as with all tested by NCC Group, are each sold at competitive prices and available through Amazon’s ecommerce website, Walmart.com and other popular online retailers.
Researchers said the majority of the devices analyzed were clones of the Victure doorbell, which had a number of preexisting security issues associated with it.
One issue identified in the Qihoo device was an undocumented and fully functional DNS service. “Investigation into this type of service can sometimes lead down the route of a covert DNS channel for malware delivery. We did not see anything during testing that could lead us into such a rabbit hole,” wrote researchers.
With the Victure’s doorbell an undocumented HTTP service was found running on port 80. Researchers noted the port required credentials, however those credentials could easily be extracted from “an unbranded clone of this device for sale online.”
“The firmware was extracted from the cloned device to retrieve the login details by simply performing strings across the firmware. Further analysis of the device firmware revealed the API calls required to interact with the device,” researcher wrote. Next, combing through the output logs researchers found cleartext Wi-Fi name and passwords to be used in an attack against the Victure doorbell.
Mobile App Attack
Digital lock picking via the mobile application used to control the digital doorbells were a cinch, thanks to unencrypted communications.
“On a number of devices, HTTPS was not enforced or didn’t even exist as a communication method on a range of mobile applications such as the Victure mobile application which was found to be requesting a root certificate via a HTTP request,” researchers wrote.
A lack of encryption could allow sensitive information, such as username and passwords, to be “seen” in the data communications between mobile device and the digital lock’s backend services.
Another attack vector discussed was the abuse of QR codes, a type of image-based barcode for quickly obtaining additional information. Many of the digital doorbells, in attempts to simplify access, allowed customers to use their phone’s camera to take a picture of a QR code, which configures the user’s app with the correct credentials.
“Some people use their smartphones to take screenshots of different things, while most modern smartphones also automatically backup photos,” researcher said. In this scenario, an adversary with access to a user’s cloud-based camera roll backup would also have access to QR codes. “The attacker can then quickly decode the QR code and extract the plaintext BSSID and password for the Wi-Fi network instead of having to attempt a deauth and/or evil twin attack,” they wrote.
Researchers pointed out that often the physical doorbell hardware was not securely mounted and could be easily removed – for tampering purposes.
“The main method for these devices to be secured was using a mounting bracket that was either glued or screwed onto a flat surface and the device sat in the mounting bracket. It would be easy for an attacker to quickly release the doorbell from the bracket and steal the device in under 10 seconds and some of the devices had no method of notifying the user until it was too late that it was turned off, or moved,” they wrote.
Only one digital doorbell used a pressure trigger that if tampered with would start an alarm. Even so, the researchers pointed out a 2.4GHz jammer could thwart any alarm then the attacker could remove the devices batteries or disable the power cable.
By disjoining the hardware, an attacker could siphon video captured by the doorbell and stored to an SD card to determine typical occupant behavior. Also, firmware could be extracted and either be used to identify the Wi-Fi BSSID and plaintext Wi-Fi password for access a network.
“Once the firmware was obtained it was possible to analyse it using a range of binary analysis tools (Binwalk, Ghidra, even Linux tools as simple as Strings) to break down the firmware structure and discover sensitive information contained within the firmware including hardcoded credentials, IP addresses and break down the firmware to understand the firmware and its potential weaknesses,” researchers wrote.
Using this technique, NCC Group researchers determined one of the doorbell devices still had an unpatched Key Reinstallation Attacks (KRACK) vulnerability. The KRACK vulnerability, plugged in 2017, allows attackers to decrypt encrypted traffic, steal data and inject malicious code depending on the network configuration.
Concerns Over Victure Clones
“It can be confirmed conclusively that the majority of the devices analyzed were clones of the Victure doorbell which already had a range of security issues associated with it. There was also evidence to show that the mobile applications that were being used by multiple cloned doorbells were clones of each other as well,” researchers wrote.
Researchers said that the concerns were widespread and pointed to a lack of a security-by-design ethos by doorbell manufacturers. They added that, sadly digital doorbell makers weren’t alone and that similar issues plagued other devices such as smart plugs.