Consumer Reports Study Shows Many 'Smart' Doorbells Are Dumb, Lack Basic Security
from the dumber-is-better dept
Like most internet of broken things products, we've noted how "smart" devices quite often aren't all that smart. More than a few times we've written about smart lock consumers getting locked out of their own homes without much recourse. Other times we've noted how the devices simply aren't that secure, with one study finding that 12 of 16 smart locks they tested could be relatively easily hacked thanks to flimsy security standards, something that's the primary feature of many internet of broken things devices.
"Smart" doorbells aren't much better. A new study by Consumer Reports studied 24 different popular smart doorbell brands, and found substantial security problems with at least five of the models. Many of these flaws exposed user account information, WiFi network information, or, even in some cases, user passwords. Consumer Reports avoids getting too specific as to avoid advertising the flaws while vendors try to fix them:
"Since the manufacturers have yet to fix all but one of the 11 vulnerabilities we discovered, we can’t fully describe the issues since we want to avoid supplying information to potential hackers. However, we can tell you which models are affected, some of the risks facing consumers, and how the manufacturers responded to our findings."
The report also found that most models of smart doorbells collect way more data than is actually needed to function (Amazon/Ring's relationship with law enforcement has been well documented by Tim Cushing). Beyond that, barely a quarter of the brands could be bothered to implement two-factor authentication, considered a fairly basic necessity to prevent your account from being compromised:
"Our tests also revealed that most video doorbells lack two-factor authentication, a widely used security feature that sends users a temporary, onetime passcode typically via text message, email, phone, or mobile app to use in addition to their password for logging into their accounts. With this feature enabled, a hacker can’t log in to your video doorbell account even if they have your password. In fact, barely a quarter of the brands we tested have two-factor authentication. The only ones that have it are Arlo, August, Google Nest, Ring, and SimpliSafe."
As some security analysts like Bruce Schneier have long noted, there's market failure here in that consumers can't be bothered to research what they buy, manufacturers can't be bothered to properly secure their gear before moving on to hype the next model, and government guidance or punishment for lax security is inconsistent at best. Most of these products are advertised as smarter alternatives to older, dumber tech. But they inadvertently advertise how, in many instances, dumb technology (like a deadbolt, traditional doorbell, or a dog) is consistently the smarter option.
Filed Under: security, smart devices, smart doorbells