Cheap video doorbells and security cameras are highly insecure

Cheap video doorbells and security cameras

Students at Florida Tech have discovered that most cheap video doorbells and security cameras are highly insecure – they are capable of spying on you.

In fact, mention video doorbell security, and you immediately think of the Amazon Ring debacle and the wholesale transmission of its user’s data (without their permission) to Amazon, Facebook, and Google!

But this goes far deeper. Pretty well all cheap video doorbells and security cameras can spy on you. What is worse – the security flaws appear intentional. We speculate why, later in the article.

Here is a summary of the students and another reputable investigative company’s findings. If it scares you then read the full article below.
  • Most cheap video doorbells and security cameras come from a handful of Chinese manufacturers (ODMs) using a standard, generic design and components.
  • That design has secret and untraceable backdoors that allow access to the camera, video feed and even your home Wi-Fi network.
  • No firmware updates to close the holes.

For now, we urge you not to buy cheap video doorbells and security cameras and if you already have them get rid of them as fast as you can. And be aware – generics, no matter how prettily packaged are everywhere from Bunnings to JB Hi-Fi.

Most video doorbells and security cameras are highly insecure (full article)

This article represents paraphrased findings from the students under Dr TJ O’Connor, Cybersecurity Program Chair, Florida Tech and similar research from nccgroup conducted for Which? UK. In any case, both back up the statement – Most cheap video doorbells and security cameras are highly insecure.

There are a few ‘safer’ brands in Australia – Arlo, Nest, Uniden, Swann, and D-Link have better design control. For example, Arlo has its own cloud, designs its motherboards and firmware and uses its factories in Vietnam. From a backdoor spy prevention perspective, that is what you need.

The risk is hundreds, if not thousands of cheap, generic brands and models churned out from Chinese ODMs

Why? Because most generics use the same electronics, operating systems, firmware, cloud and wrap it in a cosmetically different housing – white labelling. Then AliExpress, eBay, Amazon, Kogan, Dick Smith or other merchant sites flog them. It is cheaper to do it that way.

Some generics have better pedigree and marketing than others. In Australia Laser Co (Connect Smart), Brilliant Lighting, and Jaycar come to mind. Most of these use a generic Tuya IoT cloud (China-based) and at least attempt to obtain firmware updates from the ODMs. But as <$100 products you can’t expect long support periods.

Suspect brands include EUFY, EZviz (Hikvision), Merkury, Geeni, Orion, Youpin, Qihoo, Accfly, Banggood, Chuango, Kogan, Dick Smith, Imou, 360, Vivitar, Eken, Lyeef and hundreds of Ring knockoffs are the main risk. Just look at AliExpress here – there are 5390 results!

Further investigation with Made In China notes 11,554 current video doorbell products from 525 ODMs. Digging in FCC records shows that there are currently about eight variations to a standard motherboard design – integrated camera/speaker/PIR/IR module, audio/video processor Wi-Fi, power/charging (battery) and generally a Linux/ARM-based IoT controller with a SIP and IP web-interface.

Oh, and Wi-Fi security cameras have 12,846 listings. I guess that is OK for a country of 1.3 billion people.

Main spyware issues

The students found

  • Remote Telnet access CVE-2020-28998 to easily expose MD5 4-digit hashed passwords
  • Undocumented and untraceable backdoor account CVE-2020-28999 allows remote access to the device or a streaming video feed. This account is invisible to any logs
  • Ability to redirect a telnet session to another device CVE-2020-29000 and bypass any firewalls
  • Remote code execution to access files CVE-2020-29001 to install malware on other devices
  • Ability to stop the doorbell functioning (to allow criminal access).

Sadly, Walmart, Amazon, Home Depot, Best Buy and many more online merchants sell these extremely popular cameras in the US.

Overview of nccgroup findings

In addition to the student findings, nccgroup found

  • DNS (Domain Name Server) port 53 – enables DNS hijack of IoT devices on the home network instead of obtaining a DHCP IP address from the router – great for setting up Botnets.
  • Wi-Fi credentials stored in the device in clear text – not encrypted.
  • Ability to connect to a remote backend server – control DDoS Botnets.
  • System commands outside login – factory reset (wipe), console, sleep and active
  • Remote firmware commands – flash (and several options)
  • Untraceable internet-facing gateways www-user@XXXXXX remotely accessible
  • Unencrypted mobile app communication
  • Root certificate-granting via an HTTP request
  • Many apps generate a QR code on the phone to connect to the device during setup. Such codes may be insecure, especially when used to add profiles to access the device
  • No back end authentication of API requests
  • HTTP Port 80 allows undocumented login and allows commands like open, upload and close. This is part of Huawei LiteOS (Huawei’s “1+2+1” Internet of Things solution). Huawei freely distributes LiteOS via open-source development kits and industry offerings. Hackernews confirms its widespread use because its free. See below
Cheap video doorbells and security cameras

And the big one

  • Data sent to other countries without permission, especially clouds in China like CloudEdge for Android and iOS  ( used by many ODMs. Note: Elinz Camera’s here use this. Forbes found that CloudEdge uses dozens of different names on more than 30 brands of doorbell cameras sold retail in the US.
  • The data includes full smartphone data, ID, logs, contacts, GPS location, Wi-Fi credentials, and much more.
Cheap video doorbells and security cameras

nccgroup concludes

“Confirmed conclusively that the majority of the devices were clones, all of which have the same security issues. Mobile applications were clones of each other as well. The firmware binaries proved the devices’ hardware design and manufacturing were similar.”

Cheap video doorbells and security cameras
Most use a generic motherboard to keep costs down

GadgetGuy’s take – bloody hell

It is a bold, fact-backed statement – Most cheap video doorbells and security cameras are highly insecure

This is current – nccgroup released its finding on 18 December 2020 and the Florida Tech on 4 February 2021.

Simply put if you buy a generic camera or video doorbell, you open your home up to spying, criminal access and even nation-state attacks. Your video camera or doorbell could be leading a DDoS attack on major infrastructure right now!

And it is your fault! You are reinforcing generic production using third-party software and third-party parts because you buy cheap.

But what is worse is that any generic IoT devices are made the same way. Think of connected security cameras, locks, speakers, light bulbs, power points, printers, refrigerators, televisions, photo frames, microwave ovens, bathroom scales, toothbrushes – the list is endless. If they connect to the home network via Wi-Fi or even BT, they can phone home.

If it connects to the internet it can spy

Its all about your data

A recent Australian survey by Telsyte shows 42% of Aussies have no idea where their security camera data is stored. Do that matter? Hell yes!

Knowledge is power, and absolute knowledge is absolute power.

Does it matter if it is stored in the dark web for criminal purposes. Or somewhere that a nation-state can access and use it? With just your IP address, cyber spies can access your home network, cameras, computer, and even your phone. A nation-state could simply shut it down.

Now is not the time to lambast Google, Amazon and Apple for their privacy invasion via smart assistants and smartphones. At least we know that they share western values and only want to empty our pockets.

GadgetGuy has ceased reviewing smart IoT devices that don’t meet reasonable standards for privacy or that come from generic suppliers where firmware and security upgrades never happen.

For that reason, we support Arlo’s privacy as a pledge. So far, no other security camera maker has been able to match.

Arlo privacy logo

Now is the government’s time to make more than voluntary policy statements

The Australian Governments Code of Practice- Securing the Internet of Things for Consumers (it is a PDF – check downloads) is voluntary. Its not working! Mandatory means teeth!

ReFirm Labs Binwalk Enterprise IoT security tools helped the Florida Tech students uncover the vulnerabilities. ReFirm says a short term fix would be to implement mandatory Cybersecurity Certification Labels. But longer term retailers and consumers need to step up and stop buying insecure rubbish.

ReFirm says Governments have policies to stop retailers selling products that burn down your house down or make you sick. How about not selling horribly insecure IoT devices that turn your house into a hacker’s playground?