Techdirt is off for the long weekend! We'll be back with our regular posts tomorrow.
Retailers Selling Thousands Of Identical, Easily-Hacked ‘Smart’ Doorbells
from the same-shit,-different-name dept
As we’ve noted for a very long time, sometimes “dumb” tech is often the smarter option. In the rush to connect every conceivable technology and device to the internet (while seeing ever-improving revenues), “smart technology” companies routinely cut corners. And the first sacrifice usually made (behind customer service) tends to be consumer privacy and device security.
A new investigation by Consumer Reports found that major retailers like Amazon, Sears, Temu, and Walmart are selling thousands of different types of video doorbells that all have the flimsiest security imaginable. As a result, many of the devices can be hacked — sometimes from thousands of miles away — providing intruders access to your home video feeds.
Simply knowing a device’s serial number in some instances provided easy access to user video. Many doorbells failed to even encrypt the public IP addresses and Wi-Fi SSIDs sent over the internet. And in some instances, all it took was an attacker walking up to the physical device and putting it into pairing mode to gain access to live and recorded video streams.
The thousands of cheap, usually Chinese-made, video doorbells are sold under different brand names (like Eken and Tuck), but are otherwise virtually identical — down to the painful lack of security:
“The two devices stood out not just because of the security problems but also because they appeared to be identical, right down to the plain white box they came in, despite having different brand names. Online searches quickly revealed at least 10 more seemingly identical video doorbells being sold under a range of brand names, all controlled through the same mobile app, called Aiwit, which is owned by Eken.”
Consumer Reports contacted the companies involved and received no response whatsoever. Past studies by the organization have shown that even more reputable brands in the smart doorbell space don’t have particularly robust security. Brands like Amazon’s Ring and Google’s Nest have also had plenty of problems, including companies’ more-than cordial relationship with law enforcement.
But as Consumer Reports notes, retailers also have some responsibility to not sell absolute garbage that not only doesn’t work, but puts potentially vulnerable people (like victims of stalkers) at additional risk. And by selling so many terrible products under so many different brand names even tracking the scope of the problem becomes an uphill climb for researchers.
Filed Under: aiwit, consumer reports, doorbells, internet of things, privacy, security, smart tech, video
Companies: amazon, sears, temu, walmart
Comments on “Retailers Selling Thousands Of Identical, Easily-Hacked ‘Smart’ Doorbells”
I cannot wait for some Republican ass clown to post here how this is a good thing, and that people should bear the responsibility of vetting their own goods, before buying/using them, with information not given at the time of sale.
Mattie? You out there, comrade?
Re:
am surprised he hasn’t showed up yet
Re: Re:
He’s probably busy organizing his local Klan rally.
I’m sure he’ll show up again, just like chlamydia.
This, unfortunately, is the norm
When considering any IOT device, it’s best to presume that it’s a nightmare of security and privacy issues…because there’s a very high probability that it is. The “risks” and “dumpsterfire” forums have carried message after message about this for years, and there’s no shortage of new material.
This is possible (a) because there’s no regulation and therefore (b) there’s no incentive for vendors to put in the work and (c) there are lots of incentives for them not to, since acquired data can be sold into the data broker ecosystem.
It’s only a matter of when, not if, the IOT will be used in a major attack. It’s an obvious vector and best of all (from the attacker’s point of view) they didn’t have to pay for it or install it: everyone out there did it for them.
Re:
It’s not even just “IoT”. Amateur lockpickers have been bitching for literally decades that there are zero good padlocks or door locks to be found in big-box stores. Many areas still have locksmiths that sell locks with reasonable security, or maybe an independent hardware store does; otherwise, it’s best to go online.
To be clear, the specific claim was that every single such lock for sale in Home Depot and Wal-Mart was easily picked or otherwise defeated with unpowered hand tools. (Nevermind those packages that expose key bittings and lock serial numbers simultaneously.) I’m told bicycle locks are good by comparison, though quite vulnerable to powered tools.
Point made
Before, is that, WHY in hell do they all have Offloaded Data to another site, that you didnt choose. As that breaks the 3rd party rule, and Any one can get it. Its not considered Private ONCE it leaves your location.
Even a Cheap Raspi, (1 for each unit) can Download the Data and save it to a flash card, and make it accessible to your Computer, Easily, AND PASSWORDED.
Or even use a Router and a better computer and handle 4=8 easily on 1 machine.
Instant and remote access, Should be easy, even remote access, with a few minor tricks.
Re:
You know exactly why they do this. You’re the product and if your privacy gets violated by these wholly insecure systems, that’s a You Problem, not a Them Problem.
i only buy clearly reputable brands, like VLDDKUYR.
Re:
I only buy genuine panaphonics.
It’s not just in the IoT space, every type of product suffers from a large number of randomly-named brands reselling the exact same low-quality product from the same Asian OEM. Sometimes they don’t even differ in the printing on the case. For the most part anywhere you go to buy on-line these “brands” are promoted to the top of the list and you have to filter by brand name to even find the reputable ones. It’s gotten to the point where I’ve abandoned Amazon as a source and only buy directly from a known brand’s web site (or their Amazon store if their site directs me to it and even then I’m careful about the exact product being ordered and who’s shipping it).
Its the problem
THINKING that a computer FIXES/IMPROVES everything.
refrig, washer, dryer, security. WHY in hell do they need internet access?
AT MOST, you insert a relay for a failure alarm, and Leave it At that. Because EVEN the computer Wont tell you anything until it FAILS. And almost anything ELSE is laziness or Idiocy.
AND as I asked the Samsung about a frig, my friend bought. The Computer has NO BATTERY BACKUP. On power fail it resets to default config, as if JUST BOUGHT. And KNOWING the temp in the frig talls you NOTHING if you need a PHONE to tell you, When a Failure alarm or Over TEMP, Would be MUCH BETTER, and mechanical, and last forever.
Also, the frig had NO SPIKE PROTECTION. Was not in the Manual.
Re:
As I posted in another comment, still stuck in moderation, this is not specific to computers. Every single door lock that’s for sale in big-box stores is crap, according to those in the know.
It’s even worse that you say, because there’s no reason it needs battery backup. Assuming the microcontroller being used by the fridge doesn’t already have a couple bytes of non-volatile memory, as many cheap ones do, EEPROMs are really cheap. I see some below 20 cents each, with most below a dollar; that’s at quantity 1 and they get cheaper in bulk.
(As for battery backup, my circa-1989 Zelda cartridge is still doing fine with its original battery, and Nintendo were known for using really cheap hardware; cf. “Lateral Thinking with Withered Technology”.)
Re: frig
Ha! Did you get some rigging to put that in?
Re: Re: called it that
Forever..
refrigerator, to long. Better to call it an Ice box.
Re: Re: Re:
I have a parent who also abbreviates “refrigerator” as “frig”. I’ve mentioned how that particular word has… other meanings… but they refuse to write “fridge” like everyone else, on the basis that the full word has no “d”.
Re:
No battery in my frig, either. Had to get a manual dildo.
Too many people think an app or IoT device is a time saving or “cool” gadget, when almost always, they are neither and instead hidden security nightmares. If I wanted to know who is at my door, it would be easy enough to connect a simple camera to a computer or a monitor. I do not need a doorbell to tell me my front door is open.
If you have apps or devices that have to be connected to function, you should get rid of them or else be happy that you are being monitored in ways you cannot know or defeat.
You get what you pay for?
If you’re a privacy nutter and worried about people watching your video feeds, spend for quality security products. If you buy a wifi doorbell for $10 you should expect it to be without any sort of security.
Though aside from the “gawd privacy” aspect, there’s not much to worry about exposed external camera feeds, especially door bells, in the real world.