The U.K.-based security company NCC Group and consumer advocacy group
Which? have found vulnerabilities in 11 “smart” doorbells sold on popular
platforms like Amazon and eBay. CyberScoop reports: One flaw could allow
a remote attacker to break into the wireless network by swiping login
credentials. Another critical bug, which has been around for years, could
enable attackers to intercept and manipulate data on the network. The
investigation focused on doorbells made by often obscure vendors, but
which nonetheless earned top reviews and featured prominently on Amazon
and eBay. The researchers raised concerns that some of the devices were
storing sensitive data, including location data and audio and video
captured by the doorbell’s camera, on insecure servers. One device made
by a company called Victure, for example, sent a user’s wireless name and
password, unencrypted, to servers in China, according to the researchers.
In a statement, Amazon said it requires products sold on its site to be
compliant with applicable laws and regulations, and that it has tools to
detect “unsafe or non-compliant products from being listed in our
stores.” eBay said it takes down listings that violate its safety
standards, but that the devices flagged by the researchers did not meet
that threshold. Victure did not immediately respond to a request for
comment. The NCC Group-Which? team said they tried to contact the various
vendors of the vulnerable smart doorbells, with mixed success. The
unnamed vendor of one device, for example, removed an online listing for
the product after the researchers shared their findings. …