Top 4 Alternatives to House of Cards from Netflix

Smart doorbells are "a nightmare" for cybersecurity, according to an NCC report

NCC Group, a consulting firm specialized in cybersecurity, published a report a few days ago focused on analyze the level of security of IoT devices known as 'smart doorbells', in which the main models available in the market among those manufactured by Victure, Qihoo and Accfly were analyzed.

The conclusion they reached is summarized in the textual qualification of "nightmares of the domestic Internet of Things" received by these devices, after detecting that they are riddled with vulnerabilities.

The objective of smart doorbells is to be able to warn homeowners / premises of the arrival of wanted and unwanted visitors, also allowing them to visualize and establish communication with them, which also makes them substitutes for peepholes and telephones.

However, According to NCC, these devices can provide us with more problems than security. The problems they have detected range from undocumented functionalities that, if known, could be exploited by cyber attackers, to serious vulnerabilities in the hardware itself or in the mobile apps used to manage them.

Connected Doorbell Buying Guide: Installation Options, Compatibilities, and Featured Models

And this is worrying because, currently, 39% of US households have an IoT device (a percentage that has grown 33% throughout this year), and in this area smart doorbells are the most popular category.

Undocumented functionalities

In one of the analyzed models, a fully functional DNS service, which could have led to its use for the spread of malware.

Another of the models had an HTTP service running on port 80. Although accessing it required the use of credentials, these could be extracted as plain text from a white-label clone model available for purchase online.

Vulnerabilities in mobile apps

The researchers found that quite a few of the apps that manage the analyzed devices were connected to them over unencrypted HTTP connectionsrather than over HTTPS, which exposes sensitive information such as usernames and passwords.

Another vulnerability of these apps lies in abuse of QR codes. By allowing photos of them to be taken as a way to configure the app, many mobiles are duplicating images in the cloud from which it costs little to extract the access data to the device.

The IoT revolution stalls: products that promise everything end up being abandoned and leaving users sold

Hardware vulnerabilities

The physical installation systems of the doorbells often facilitate their removal by attackers, quickly and easily, without triggering any alarm (with the exception of one of the models analyzed, equipped with a pressure trigger to detect this class handling).

The serious thing about this is not that they can steal the stamps, but that they can be manipulated: once there is physical access to it, all kinds of sensitive information contained in the firmware can also be accessed.

To top it off, by testing this method of accessing the firmware, the experts detected models that had not yet patched the vulnerability known as 'KRACK', despite the fact that it was detected in 2017.

Via | Threatpost Image |