Consumer Reports Study Shows Many 'Smart' Doorbells Are Dumb, Lack Basic Security

from the dumber-is-better dept

Like most internet of broken things products, we’ve noted how “smart” devices quite often aren’t all that smart. More than a few times we’ve written about smart lock consumers getting locked out of their own homes without much recourse. Other times we’ve noted how the devices simply aren’t that secure, with one study finding that 12 of 16 smart locks they tested could be relatively easily hacked thanks to flimsy security standards, something that’s the primary feature of many internet of broken things devices.

“Smart” doorbells aren’t much better. A new study by Consumer Reports studied 24 different popular smart doorbell brands, and found substantial security problems with at least five of the models. Many of these flaws exposed user account information, WiFi network information, or, even in some cases, user passwords. Consumer Reports avoids getting too specific as to avoid advertising the flaws while vendors try to fix them:

“Since the manufacturers have yet to fix all but one of the 11 vulnerabilities we discovered, we can?t fully describe the issues since we want to avoid supplying information to potential hackers. However, we can tell you which models are affected, some of the risks facing consumers, and how the manufacturers responded to our findings.”

The report also found that most models of smart doorbells collect way more data than is actually needed to function (Amazon/Ring’s relationship with law enforcement has been well documented by Tim Cushing). Beyond that, barely a quarter of the brands could be bothered to implement two-factor authentication, considered a fairly basic necessity to prevent your account from being compromised:

“Our tests also revealed that most video doorbells lack two-factor authentication, a widely used security feature that sends users a temporary, onetime passcode typically via text message, email, phone, or mobile app to use in addition to their password for logging into their accounts. With this feature enabled, a hacker can?t log in to your video doorbell account even if they have your password. In fact, barely a quarter of the brands we tested have two-factor authentication. The only ones that have it are Arlo, August, Google Nest, Ring, and SimpliSafe.”

As some security analysts like Bruce Schneier have long noted, there’s market failure here in that consumers can’t be bothered to research what they buy, manufacturers can’t be bothered to properly secure their gear before moving on to hype the next model, and government guidance or punishment for lax security is inconsistent at best. Most of these products are advertised as smarter alternatives to older, dumber tech. But they inadvertently advertise how, in many instances, dumb technology (like a deadbolt, traditional doorbell, or a dog) is consistently the smarter option.

Filed Under: , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Consumer Reports Study Shows Many 'Smart' Doorbells Are Dumb, Lack Basic Security”

Subscribe: RSS Leave a comment
24 Comments
This comment has been deemed insightful by the community.
Ehud Gavron (profile) says:

Locks are meant to keep honest people out.

Rabbit hole: Check out "lockpickinglawyer" on YouTube. He’s done houses, businesses, secure locks, super secure locks, gun safes, padlocks, you name it. Usually in under a minute he shows you how to get around anything.

Locks prevent honest people from entering your house. People who want in can do any number of things from breaking a window to bashing in the doorstrike.

IoT introduces Yet Another Attack Vector (multiple points of failure is always weaker than single point of failure if the device fails-secure.)

I think EDUCATION is the answer. Educate the masses that their doorbell SHOULD NOT IN ANY WAY be on the Internet. Sure, that means you can’t let your kids in when you’re too lazy to be home on time. Sure, it means the FedEx guy has to leave the package outside instead of inside the home. It also means that J. Rando MethHead can’t use BT or WiFi or 5G (chortle) to open your door.

-cross apply all that to anything else that’s IoT. It may not have a "security of the domicile" application but who wants their bedroom lights turned on at midnight (other than people awake at midnight)? Who wants their TV set to watch porn loudly at 0300 (other than people watching porn……)? Who wants their oven starting a 45 minute bake cycle with nothing in it? All these REALLY HAPPEN.

Where is IoT useful? Everywhere. Where is the tradeoff between IoT and properly secured IoT (no such thing because in an arms race when the mfg and the customer have no incentive to participate, the opposing forces always win) in favor of the consumer? Never.

IoT is great for… mmm… "Fridge, show me what’s inside so I can see if I need to buy more milk." Anything that’s READ-ONLY has potential to be useful on the upside of the tradeoff.

Anything that’s read/write or read/write/act is on the downside and over time will get worse because of that arms race.

Down with IoT!!

E

Anonymous Coward says:

Re: Locks are meant to keep honest people out.

"Locks are meant to keep honest people out" is, if I’m being generous, an oversimplification. By that logic, we could get rid of locks—why do honest people need to be kept out?—or perhaps we’d all use dollar-store locks. But it seems that stuff locked up with really cheap locks does tend to get stolen more frequently.

Perhaps we should say that locks are meant to keep out the ignorant or lazy, or that they’re a way to use fear to extract money from the public.

Sure, that means you can’t let your kids in when you’re too lazy to be home on time.

30 years ago, we kids just carried keys. Except for one or two kids that became infamous for losing them around town.

Ehud Gavron (profile) says:

Re: Re: Locks are meant to keep honest people out.

By that logic, we could get rid of locks—why do honest people need to be kept out?

I alluded to that. A lock that can be opened prevents someone from breaking your window or your doorframe. If someone is determined to enter, they will. The question becomes how much hassle do you want to go through to fix it later.

  • Authentication… who are you?
  • Authorization… do you have authorization to access this facility
  • Mechanism… do you have the token to effect this for access
  • Access… shall I open the door for you now

This is all obviated by breaking things, so trusting a $50-$100 IoT thing is a waste of time except for those honest people.

You do make a good point. Honest people won’t come try your door to see if it’s unlocked… so you don’t really need a lock. Maybe a sticker like the "Protected by SomeAlarmCo" thing that looks like a really tough lock would work… to deter… the people who won’t be deterred by the lock in the first place.

It’s a game to them. If they lose, they don’t rob YOUR place, and they go to the NEXT place. No harm, no foul, no loss. If YOU lose, you get your stuff broken into, stuff stolen, insurance hassle, and months without stuff — some of which is irreplaceable.

How to win? Not sure.

How to break even? Not sure.

How to maximize your chances? Don’t use IoT or other means of making it easy to rob you. Don’t make your house/apt a target "Oh look, this guy has that dorky $20 doorbell we can ‘hotwire’ through BT to open. Let’s see what cool things he has inside if he can afford this doorbell…"

etc.

E

Scary Devil Monastery (profile) says:

Re: Re: Locks are meant to keep honest people out.

"Perhaps we should say that locks are meant to keep out the ignorant or lazy, or that they’re a way to use fear to extract money from the public."

Locks – most security devices – mainly discourage the opportunist.

A friend of mine who’s worked computer security used the following analogy;

"Imagine a thief going down the street, quickly trying every door handle on his way. When he finds an unlocked one he simply opens it, reaches in and grabs the first promising items (purses, nice jackets, briefcases, etc) he sees, backs out, closes the door, and swiftly walks away. A "lock" is meant to ensure your door isn’t the one he opens."

Against a dedicated aggressor, no viable defense exists, only speedbumps. The average person is unlikely to ever encounter a dedicated and competent aggressor in this way.

That leaves the average person threatened mainly by shoddy security measures for which the equivalent of skeleton keys exist; smartphones with built-in backdoors – are open to every aggressor, eventually; IoT devices vulnerable to one and the same java exploit? Open to every aggressor; OS with a known exploit? Open to every aggressor; Password vulnerable to dictionary attacks? Open to every aggressor.

The main problem is that although a mediocre lock or firewall can get picked or hacked they are still good against the casual aggressor who just tosses ten thousand penetration attempts out there at random.
A BAD lock or firewall is arguably worse than none at all since the poor idiots employing it thinks themselves secure when the reality is that even the worst thief or script kid will have the means to open it immediately.

Anonymous Coward says:

Re: Re: Re: Locks are meant to keep honest people out.

Locks – most security devices – mainly discourage the opportunist. … A "lock" is meant to ensure your door isn’t the one he opens."

Yes, that’s a good way to put it. On this theory, I like to park my bike next to one of similar or greater value but poorly locked.

The main problem is that although a mediocre lock or firewall can get picked or hacked they are still good against the casual aggressor who just tosses ten thousand penetration attempts out there at random.

Hmm. "Ten thousand penetration attempts" just isn’t practical unless people have IoT locks. Apart from the simple time-and-effort problem, a person trying to pick all the physical locks in an area is going to get noticed, whereas a person walking around with a mobile phone will blend in. Who’d know the phone has an app scanning wifi for vulnerable locks? One person has to write that app one time, and then any idiot can break every such lock in the world.

Scary Devil Monastery (profile) says:

Re: Re: Re:2 Locks are meant to keep honest people out.

"Hmm. "Ten thousand penetration attempts" just isn’t practical unless people have IoT locks."

In the digital domain that would be any attack capable of being spammed – mass-mail trojans, tossing a cookie-cutter intrusion script at any discovered ip number, or inserting a hostile sql script on a hacked popular webpage.

In physical reality this is the thief who turns as many doorhandles as he can and casually checks for open windows. Or, at most, opens any door his lockgun or skeleton key can open with a trigger motion and a twist.

"Who’d know the phone has an app scanning wifi for vulnerable locks? One person has to write that app one time, and then any idiot can break every such lock in the world."

A few years back a chinese company actually sold a USB stick preloaded with a dozen standard intrusion scripts – didn’t work on a well-patched system…but as WCry demonstrated, "well-patched systems" are rarer than you’d think among large organizations. WCry itself was indeed based on a template such as the one you described – intrusion code written by the NSA and leaked by russian hackers which had subsequently been used by script kids and pseudocrackers as payload in simple scripts.

It all boils down to the fact that if your security device, digital or not, can be opened by a skeleton key or has a backdoor then eventually everyone will be able to effortlessly open it. First of all of course proactive criminals.

Scary Devil Monastery (profile) says:

Re: Locks are meant to keep honest people out.

"I think EDUCATION is the answer. Educate the masses that their doorbell SHOULD NOT IN ANY WAY be on the Internet."

I’ve said it so often I feel the phrase has worn a groove in my tongue – "Smart" technology does not exist.

So far the masses appear education-proof. Although to be fair the US appear to be far riper a market for the snake oil salesman than much of the rest of the world. How do you teach a people so lamentably ill-informed a full 50% of them actively reject science?

Samuel Abram (profile) says:

Re: Re: Locks are meant to keep honest people out.

How do you teach a people so lamentably ill-informed a full 50% of them actively reject science?

Are you sure it's 50%? Maybe it's more like 33% because our electorate breakdown since the founding of the republic has been roughly 33% right-wing, 33% left-wing, and 33% in between. It's also harder to poll because our media fails us and that's why we go into these crazy voices like Alex Jones. I try to keep listening to scientific perspectives, though.

Scary Devil Monastery (profile) says:

Re: Re: Re: Locks are meant to keep honest people out.

"Are you sure it’s 50%?"

Richard Dawkins relied on numbers he’d obtained from US social demographic studies in delivering that proportion. So it’s nothing to do with the skewed data you’d get from the wreck often referred to as the US "electoral" system.

I take exception to some of Dawkins conclusions but at least he has the habit of providing credible sources for his raw data. I think I got the "50%" number from his book "The Greatest Show on Earth" but I’m fairly sure he’s quote it elsewhere as well.

So at least among people in the habit of answering scientific polls you get the 50% who are creationist. Admittedly that indicates the error margin falls toward there being a lot more who don’t like to answer scientists…

ECA (profile) says:

Re: Locks are meant to keep honest people out.

Just another warning:
If you Fully protect yourself, you are considered paranoid.
There are ways to do everything, IF you have money and time.

TIME is the big thing. Because if someone ELSE, knows how/what you did, they can figure out how to bypass it.
But even after that, there is a strange Fact. BARS on a window are great to keep People out, but During a FIRE, they can keep you IN.. If you have a quick release or a fast way to get Passed them, it makes it easy for those OUTSIDE to figure it out.

IMO:
Internet connection of devices is abit Stupid. Most of these devices want your internet so they can Send data remotely, and you have to have internet/password/name to get access. They dont consider or LET YOU have your own internal server to store/control the units, which IMO is stupid that you DONT have it. As after that internal unit HAS the data, as a Main backup, it THEN can send acknowledgement REMOTELY, to your phone of any place you WANT it, LIKE remote email, NOT a service that charges you.

Do remember tho, that for everything you do to protect yourself, makes it harder to enter, Including Cops and fire dept. And if you need help, ITS A HINDRANCE.. Even automating things will require you to have offline power storage and Keep it working properly, and moderated. And if the Internal power fails…Im sorry.

PS. they are working on a CLEAR METAL, and it shouldnt be long before you have new windows.

Scary Devil Monastery (profile) says:

Re: Re: Locks are meant to keep honest people out.

"There are ways to do everything, IF you have money and time."

There’s a golden rule among those working security – both digital and physical. Among the three criteria of Convenient, effective, and Cheap you can obtain any two, never all three.

In most cases you end up settling for one and a half. User-convenient security which provides no real protection on the cheap is the usual configuration.

This comment has been deemed insightful by the community.
Anonymous Anonymous Coward (profile) says:

Now tell the person on the street, and Joe sixpack as well

Consumer reports is a good start, but it is limited to subscribers. The rest of the consumer market needs to know as well, and Techdirt doesn’t have enough readers to make a big enough dent. Mainstream press needs to cover this loudly and clearly.

Manufacturers of IoT devices need to be shamed (not buying their products would be a good start, but reviews* that include security issues would help as well) into better business practices (secure your equipment before you sell it, update it regularly, don’t depend upon servers you might not be able to maintain down the road) and explain to potential customers what the cost entails, including the extra money spent on securing those devices.

*Reviews from users are not helpful as they rarely have sufficient skill to be knowledgeable about hidden issues, like security. Most commercial reviews are tainted as well, as they seem to be more like marketing brochures. 40 years in the hospitality field and I never found a reviewer that I trusted. They lacked the knowledge, the experience, or the integrity to give an honest review.

This comment has been deemed insightful by the community.
David says:

"Dumb" is a technical term

Consumer Reports Study Shows Many ‘Smart’ Doorbells Are Dumb, Lack Basic Security

That is not "dumb", that is "stupid". "Dumb" has developed into a proper technical term usually meaning "does not do anything but its primary function".

It may have once meant the opposite of "intelligent" with "intelligent" being a buzzword for "contains a microprocessor". But everything contains a microprocessor these days.

Nowadays the dichotomy is more "smart"/"dumb". With "smart" being a marketing term for "rogue", doing things out of the control of its purported owner.

Ehud Gavron (profile) says:

Re: "Dumb" is a technical term

Dumb wasn’t the opposite of intelligent, it was unable to speak. Over time and people assuming those unable to speak were stupid, dumb came to mean that. Now its colloquial use is in the language.

Oxford gives an informal definition:
1.
informal
simplify or reduce the intellectual content of something so as to make it accessible to a larger number of people.
"critics have accused publishers of dumbing down books"

E

Anonymous Coward says:

Locks can only do so much. If someone wants to get into your house, a lock only slows them down a little bit. Foe me, I put up good security cameras around my house that see each other also. So I’d rather they see my cameras, which our out in the open and can be seen easily. they see that and go, Ummm why not go after a easier target. I don’t want them even walking up to my house. You can see my cameras from the sidewalk. They’re on the sides of my house and backyand also.

My cameras are recording 24/7. You can see the 2 RED LED’s at night that give them great night vision. They work!!! I’ll stick with my normal locks and my $15 wireless doorbell.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...