Students at Florida Tech have discovered that most cheap video doorbells and security cameras are highly insecure – they are capable of spying on you.
In fact, mention video doorbell security, and you immediately think of the Amazon Ring debacle and the wholesale transmission of its user’s data (without their permission) to Amazon, Facebook, and Google!
But this goes far deeper. Pretty well all cheap video doorbells and security cameras can spy on you. What is worse – the security flaws appear intentional. We speculate why, later in the article.
Here is a summary of the students and another reputable investigative company’s findings. If it scares you then read the full article below.
Most cheap video doorbells and security cameras come from a handful of Chinese manufacturers (ODMs) using a standard, generic design and components.
That design has secret and untraceable backdoors that allow access to the camera, video feed and even your home Wi-Fi network.
No firmware updates to close the holes.
For now, we urge you not to buy cheap video doorbells and security cameras and if you already have them get rid of them as fast as you can. And be aware – generics, no matter how prettily packaged are everywhere from Bunnings to JB Hi-Fi.
Most video doorbells and security cameras are highly insecure (full article)
There are a few ‘safer’ brands in Australia – Arlo, Nest, Uniden, Swann, and D-Link have better design control. For example, Arlo has its own cloud, designs its motherboards and firmware and uses its factories in Vietnam. From a backdoor spy prevention perspective, that is what you need.
The risk is hundreds, if not thousands of cheap, generic brands and models churned out from Chinese ODMs
Why? Because most generics use the same electronics, operating systems, firmware, cloud and wrap it in a cosmetically different housing – white labelling. Then AliExpress, eBay, Amazon, Kogan, Dick Smith or other merchant sites flog them. It is cheaper to do it that way.
Some generics have better pedigree and marketing than others. In Australia Laser Co (Connect Smart), Brilliant Lighting, and Jaycar come to mind. Most of these use a generic Tuya IoT cloud (China-based) and at least attempt to obtain firmware updates from the ODMs. But as <$100 products you can’t expect long support periods.
Suspect brands include EUFY, EZviz (Hikvision), Merkury, Geeni, Orion, Youpin, Qihoo, Accfly, Banggood, Chuango, Kogan, Dick Smith, Imou, 360, Vivitar, Eken, Lyeef and hundreds of Ring knockoffs are the main risk. Just look at AliExpress here – there are 5390 results!
Further investigation with Made In China notes 11,554 current video doorbell products from 525 ODMs. Digging in FCC records shows that there are currently about eight variations to a standard motherboard design – integrated camera/speaker/PIR/IR module, audio/video processor Wi-Fi, power/charging (battery) and generally a Linux/ARM-based IoT controller with a SIP and IP web-interface.
Many apps generate a QR code on the phone to connect to the device during setup. Such codes may be insecure, especially when used to add profiles to access the device
No back end authentication of API requests
HTTP Port 80 allows undocumented login and allows commands like open, upload and close. This is part of Huawei LiteOS (Huawei’s “1+2+1” Internet of Things solution). Huawei freely distributes LiteOS via open-source development kits and industry offerings. Hackernews confirms its widespread use because its free. See below
And the big one
Data sent to other countries without permission, especially clouds in China like CloudEdge for Android and iOS (app-logs.meari.com.cn) used by many ODMs. Note: Elinz Camera’s here use this. Forbes found that CloudEdge uses dozens of different names on more than 30 brands of doorbell cameras sold retail in the US.
The data includes full smartphone data, ID, logs, contacts, GPS location, Wi-Fi credentials, and much more.
“Confirmed conclusively that the majority of the devices were clones, all of which have the same security issues. Mobile applications were clones of each other as well. The firmware binaries proved the devices’ hardware design and manufacturing were similar.”
GadgetGuy’s take – bloody hell
It is a bold, fact-backed statement – Most cheap video doorbells and security cameras are highly insecure
This is current – nccgroup released its finding on 18 December 2020 and the Florida Tech on 4 February 2021.
Simply put if you buy a generic camera or video doorbell, you open your home up to spying, criminal access and even nation-state attacks. Your video camera or doorbell could be leading a DDoS attack on major infrastructure right now!
And it is your fault! You are reinforcing generic production using third-party software and third-party parts because you buy cheap.
But what is worse is that any generic IoT devices are made the same way. Think of connected security cameras, locks, speakers, light bulbs, power points, printers, refrigerators, televisions, photo frames, microwave ovens, bathroom scales, toothbrushes – the list is endless. If they connect to the home network via Wi-Fi or even BT, they can phone home.
Its all about your data
A recent Australian survey by Telsyte shows 42% of Aussies have no idea where their security camera data is stored. Do that matter? Hell yes!
Knowledge is power, and absolute knowledge is absolute power.
Does it matter if it is stored in the dark web for criminal purposes. Or somewhere that a nation-state can access and use it? With just your IP address, cyber spies can access your home network, cameras, computer, and even your phone. A nation-state could simply shut it down.
Now is not the time to lambast Google, Amazon and Apple for their privacy invasion via smart assistants and smartphones. At least we know that they share western values and only want to empty our pockets.
GadgetGuy has ceased reviewing smart IoT devices that don’t meet reasonable standards for privacy or that come from generic suppliers where firmware and security upgrades never happen.
ReFirm Labs Binwalk Enterprise IoT security tools helped the Florida Tech students uncover the vulnerabilities. ReFirm says a short term fix would be to implement mandatory Cybersecurity Certification Labels. But longer term retailers and consumers need to step up and stop buying insecure rubbish.
ReFirm says Governments have policies to stop retailers selling products that burn down your house down or make you sick. How about not selling horribly insecure IoT devices that turn your house into a hacker’s playground?