Consumer Reports Study Shows Many 'Smart' Doorbells Are Dumb, Lack Basic Security

from the dumber-is-better dept

Like most internet of broken things products, we've noted how "smart" devices quite often aren't all that smart. More than a few times we've written about smart lock consumers getting locked out of their own homes without much recourse. Other times we've noted how the devices simply aren't that secure, with one study finding that 12 of 16 smart locks they tested could be relatively easily hacked thanks to flimsy security standards, something that's the primary feature of many internet of broken things devices.

"Smart" doorbells aren't much better. A new study by Consumer Reports studied 24 different popular smart doorbell brands, and found substantial security problems with at least five of the models. Many of these flaws exposed user account information, WiFi network information, or, even in some cases, user passwords. Consumer Reports avoids getting too specific as to avoid advertising the flaws while vendors try to fix them:

"Since the manufacturers have yet to fix all but one of the 11 vulnerabilities we discovered, we can’t fully describe the issues since we want to avoid supplying information to potential hackers. However, we can tell you which models are affected, some of the risks facing consumers, and how the manufacturers responded to our findings."

The report also found that most models of smart doorbells collect way more data than is actually needed to function (Amazon/Ring's relationship with law enforcement has been well documented by Tim Cushing). Beyond that, barely a quarter of the brands could be bothered to implement two-factor authentication, considered a fairly basic necessity to prevent your account from being compromised:

"Our tests also revealed that most video doorbells lack two-factor authentication, a widely used security feature that sends users a temporary, onetime passcode typically via text message, email, phone, or mobile app to use in addition to their password for logging into their accounts. With this feature enabled, a hacker can’t log in to your video doorbell account even if they have your password. In fact, barely a quarter of the brands we tested have two-factor authentication. The only ones that have it are Arlo, August, Google Nest, Ring, and SimpliSafe."

As some security analysts like Bruce Schneier have long noted, there's market failure here in that consumers can't be bothered to research what they buy, manufacturers can't be bothered to properly secure their gear before moving on to hype the next model, and government guidance or punishment for lax security is inconsistent at best. Most of these products are advertised as smarter alternatives to older, dumber tech. But they inadvertently advertise how, in many instances, dumb technology (like a deadbolt, traditional doorbell, or a dog) is consistently the smarter option.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: security, smart devices, smart doorbells


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    Ehud Gavron (profile), 24 Aug 2020 @ 4:09pm

    Locks are meant to keep honest people out.

    Rabbit hole: Check out "lockpickinglawyer" on YouTube. He's done houses, businesses, secure locks, super secure locks, gun safes, padlocks, you name it. Usually in under a minute he shows you how to get around anything.

    Locks prevent honest people from entering your house. People who want in can do any number of things from breaking a window to bashing in the doorstrike.

    IoT introduces Yet Another Attack Vector (multiple points of failure is always weaker than single point of failure if the device fails-secure.)

    I think EDUCATION is the answer. Educate the masses that their doorbell SHOULD NOT IN ANY WAY be on the Internet. Sure, that means you can't let your kids in when you're too lazy to be home on time. Sure, it means the FedEx guy has to leave the package outside instead of inside the home. It also means that J. Rando MethHead can't use BT or WiFi or 5G (chortle) to open your door.

    -cross apply all that to anything else that's IoT. It may not have a "security of the domicile" application but who wants their bedroom lights turned on at midnight (other than people awake at midnight)? Who wants their TV set to watch porn loudly at 0300 (other than people watching porn......)? Who wants their oven starting a 45 minute bake cycle with nothing in it? All these REALLY HAPPEN.

    Where is IoT useful? Everywhere. Where is the tradeoff between IoT and properly secured IoT (no such thing because in an arms race when the mfg and the customer have no incentive to participate, the opposing forces always win) in favor of the consumer? Never.

    IoT is great for... mmm... "Fridge, show me what's inside so I can see if I need to buy more milk." Anything that's READ-ONLY has potential to be useful on the upside of the tradeoff.

    Anything that's read/write or read/write/act is on the downside and over time will get worse because of that arms race.

    Down with IoT!!

    E

    reply to this | link to this | view in chronology ]

    • icon
      Atkray (profile), 24 Aug 2020 @ 7:32pm

      Re: Locks are meant to keep honest people out.

      Warning: RABBIT HOLE !!!!

      I've seen that channel.

      Highly entertaining, possibly addictive.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 24 Aug 2020 @ 8:41pm

      Re: Locks are meant to keep honest people out.

      Good and valid comment (as usual), but...
      J. Rando MethHead, FTW.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 24 Aug 2020 @ 9:47pm

      Re: Locks are meant to keep honest people out.

      "Locks are meant to keep honest people out" is, if I'm being generous, an oversimplification. By that logic, we could get rid of locks—why do honest people need to be kept out?—or perhaps we'd all use dollar-store locks. But it seems that stuff locked up with really cheap locks does tend to get stolen more frequently.

      Perhaps we should say that locks are meant to keep out the ignorant or lazy, or that they're a way to use fear to extract money from the public.

      Sure, that means you can't let your kids in when you're too lazy to be home on time.

      30 years ago, we kids just carried keys. Except for one or two kids that became infamous for losing them around town.

      reply to this | link to this | view in chronology ]

      • icon
        Ehud Gavron (profile), 24 Aug 2020 @ 10:21pm

        Re: Re: Locks are meant to keep honest people out.

        By that logic, we could get rid of locks—why do honest people need to be kept out?

        I alluded to that. A lock that can be opened prevents someone from breaking your window or your doorframe. If someone is determined to enter, they will. The question becomes how much hassle do you want to go through to fix it later.

        • Authentication... who are you?
        • Authorization... do you have authorization to access this facility
        • Mechanism... do you have the token to effect this for access
        • Access... shall I open the door for you now

        This is all obviated by breaking things, so trusting a $50-$100 IoT thing is a waste of time except for those honest people.

        You do make a good point. Honest people won't come try your door to see if it's unlocked... so you don't really need a lock. Maybe a sticker like the "Protected by SomeAlarmCo" thing that looks like a really tough lock would work... to deter... the people who won't be deterred by the lock in the first place.

        It's a game to them. If they lose, they don't rob YOUR place, and they go to the NEXT place. No harm, no foul, no loss. If YOU lose, you get your stuff broken into, stuff stolen, insurance hassle, and months without stuff -- some of which is irreplaceable.

        How to win? Not sure.

        How to break even? Not sure.

        How to maximize your chances? Don't use IoT or other means of making it easy to rob you. Don't make your house/apt a target "Oh look, this guy has that dorky $20 doorbell we can 'hotwire' through BT to open. Let's see what cool things he has inside if he can afford this doorbell..."

        etc.

        E

        reply to this | link to this | view in chronology ]

      • icon
        Scary Devil Monastery (profile), 25 Aug 2020 @ 7:41am

        Re: Re: Locks are meant to keep honest people out.

        "Perhaps we should say that locks are meant to keep out the ignorant or lazy, or that they're a way to use fear to extract money from the public."

        Locks - most security devices - mainly discourage the opportunist.

        A friend of mine who's worked computer security used the following analogy;

        "Imagine a thief going down the street, quickly trying every door handle on his way. When he finds an unlocked one he simply opens it, reaches in and grabs the first promising items (purses, nice jackets, briefcases, etc) he sees, backs out, closes the door, and swiftly walks away. A "lock" is meant to ensure your door isn't the one he opens."

        Against a dedicated aggressor, no viable defense exists, only speedbumps. The average person is unlikely to ever encounter a dedicated and competent aggressor in this way.

        That leaves the average person threatened mainly by shoddy security measures for which the equivalent of skeleton keys exist; smartphones with built-in backdoors - are open to every aggressor, eventually; IoT devices vulnerable to one and the same java exploit? Open to every aggressor; OS with a known exploit? Open to every aggressor; Password vulnerable to dictionary attacks? Open to every aggressor.

        The main problem is that although a mediocre lock or firewall can get picked or hacked they are still good against the casual aggressor who just tosses ten thousand penetration attempts out there at random.
        A BAD lock or firewall is arguably worse than none at all since the poor idiots employing it thinks themselves secure when the reality is that even the worst thief or script kid will have the means to open it immediately.

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 25 Aug 2020 @ 8:56am

          Re: Re: Re: Locks are meant to keep honest people out.

          Locks - most security devices - mainly discourage the opportunist. ... A "lock" is meant to ensure your door isn't the one he opens."

          Yes, that's a good way to put it. On this theory, I like to park my bike next to one of similar or greater value but poorly locked.

          The main problem is that although a mediocre lock or firewall can get picked or hacked they are still good against the casual aggressor who just tosses ten thousand penetration attempts out there at random.

          Hmm. "Ten thousand penetration attempts" just isn't practical unless people have IoT locks. Apart from the simple time-and-effort problem, a person trying to pick all the physical locks in an area is going to get noticed, whereas a person walking around with a mobile phone will blend in. Who'd know the phone has an app scanning wifi for vulnerable locks? One person has to write that app one time, and then any idiot can break every such lock in the world.

          reply to this | link to this | view in chronology ]

          • icon
            Scary Devil Monastery (profile), 26 Aug 2020 @ 12:45am

            Re: Re: Re: Re: Locks are meant to keep honest people out.

            "Hmm. "Ten thousand penetration attempts" just isn't practical unless people have IoT locks."

            In the digital domain that would be any attack capable of being spammed - mass-mail trojans, tossing a cookie-cutter intrusion script at any discovered ip number, or inserting a hostile sql script on a hacked popular webpage.

            In physical reality this is the thief who turns as many doorhandles as he can and casually checks for open windows. Or, at most, opens any door his lockgun or skeleton key can open with a trigger motion and a twist.

            "Who'd know the phone has an app scanning wifi for vulnerable locks? One person has to write that app one time, and then any idiot can break every such lock in the world."

            A few years back a chinese company actually sold a USB stick preloaded with a dozen standard intrusion scripts - didn't work on a well-patched system...but as WCry demonstrated, "well-patched systems" are rarer than you'd think among large organizations. WCry itself was indeed based on a template such as the one you described - intrusion code written by the NSA and leaked by russian hackers which had subsequently been used by script kids and pseudocrackers as payload in simple scripts.

            It all boils down to the fact that if your security device, digital or not, can be opened by a skeleton key or has a backdoor then eventually everyone will be able to effortlessly open it. First of all of course proactive criminals.

            reply to this | link to this | view in chronology ]

    • icon
      Scary Devil Monastery (profile), 25 Aug 2020 @ 7:27am

      Re: Locks are meant to keep honest people out.

      "I think EDUCATION is the answer. Educate the masses that their doorbell SHOULD NOT IN ANY WAY be on the Internet."

      I've said it so often I feel the phrase has worn a groove in my tongue - "Smart" technology does not exist.

      So far the masses appear education-proof. Although to be fair the US appear to be far riper a market for the snake oil salesman than much of the rest of the world. How do you teach a people so lamentably ill-informed a full 50% of them actively reject science?

      reply to this | link to this | view in chronology ]

      • icon
        Samuel Abram (profile), 25 Aug 2020 @ 9:32am

        Re: Re: Locks are meant to keep honest people out.

        How do you teach a people so lamentably ill-informed a full 50% of them actively reject science?

        Are you sure it's 50%? Maybe it's more like 33% because our electorate breakdown since the founding of the republic has been roughly 33% right-wing, 33% left-wing, and 33% in between. It's also harder to poll because our media fails us and that's why we go into these crazy voices like Alex Jones. I try to keep listening to scientific perspectives, though.

        reply to this | link to this | view in chronology ]

        • icon
          Scary Devil Monastery (profile), 26 Aug 2020 @ 12:50am

          Re: Re: Re: Locks are meant to keep honest people out.

          "Are you sure it's 50%?"

          Richard Dawkins relied on numbers he'd obtained from US social demographic studies in delivering that proportion. So it's nothing to do with the skewed data you'd get from the wreck often referred to as the US "electoral" system.

          I take exception to some of Dawkins conclusions but at least he has the habit of providing credible sources for his raw data. I think I got the "50%" number from his book "The Greatest Show on Earth" but I'm fairly sure he's quote it elsewhere as well.

          So at least among people in the habit of answering scientific polls you get the 50% who are creationist. Admittedly that indicates the error margin falls toward there being a lot more who don't like to answer scientists...

          reply to this | link to this | view in chronology ]

    • icon
      ECA (profile), 25 Aug 2020 @ 2:14pm

      Re: Locks are meant to keep honest people out.

      Just another warning:
      If you Fully protect yourself, you are considered paranoid.
      There are ways to do everything, IF you have money and time.

      TIME is the big thing. Because if someone ELSE, knows how/what you did, they can figure out how to bypass it.
      But even after that, there is a strange Fact. BARS on a window are great to keep People out, but During a FIRE, they can keep you IN.. If you have a quick release or a fast way to get Passed them, it makes it easy for those OUTSIDE to figure it out.

      IMO:
      Internet connection of devices is abit Stupid. Most of these devices want your internet so they can Send data remotely, and you have to have internet/password/name to get access. They dont consider or LET YOU have your own internal server to store/control the units, which IMO is stupid that you DONT have it. As after that internal unit HAS the data, as a Main backup, it THEN can send acknowledgement REMOTELY, to your phone of any place you WANT it, LIKE remote email, NOT a service that charges you.

      Do remember tho, that for everything you do to protect yourself, makes it harder to enter, Including Cops and fire dept. And if you need help, ITS A HINDRANCE.. Even automating things will require you to have offline power storage and Keep it working properly, and moderated. And if the Internal power fails...Im sorry.

      PS. they are working on a CLEAR METAL, and it shouldnt be long before you have new windows.

      reply to this | link to this | view in chronology ]

      • icon
        Scary Devil Monastery (profile), 26 Aug 2020 @ 12:54am

        Re: Re: Locks are meant to keep honest people out.

        "There are ways to do everything, IF you have money and time."

        There's a golden rule among those working security - both digital and physical. Among the three criteria of Convenient, effective, and Cheap you can obtain any two, never all three.

        In most cases you end up settling for one and a half. User-convenient security which provides no real protection on the cheap is the usual configuration.

        reply to this | link to this | view in chronology ]

        • icon
          ECA (profile), 26 Aug 2020 @ 1:23am

          Re: Re: Re: Locks are meant to keep honest people out.

          Agree,
          A half/a$$ job.. Expecting to finish it later...Never gets done.
          Iv seen a home with the inside walls Covered in Chicken wire, and 3 locks on the main doors,,and a few other things..

          reply to this | link to this | view in chronology ]

  • icon
    Anonymous Anonymous Coward (profile), 24 Aug 2020 @ 4:17pm

    Now tell the person on the street, and Joe sixpack as well

    Consumer reports is a good start, but it is limited to subscribers. The rest of the consumer market needs to know as well, and Techdirt doesn't have enough readers to make a big enough dent. Mainstream press needs to cover this loudly and clearly.

    Manufacturers of IoT devices need to be shamed (not buying their products would be a good start, but reviews* that include security issues would help as well) into better business practices (secure your equipment before you sell it, update it regularly, don't depend upon servers you might not be able to maintain down the road) and explain to potential customers what the cost entails, including the extra money spent on securing those devices.

    *Reviews from users are not helpful as they rarely have sufficient skill to be knowledgeable about hidden issues, like security. Most commercial reviews are tainted as well, as they seem to be more like marketing brochures. 40 years in the hospitality field and I never found a reviewer that I trusted. They lacked the knowledge, the experience, or the integrity to give an honest review.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 24 Aug 2020 @ 8:43pm

      Re: Now tell the person on the street, and Joe sixpack as well

      Convince the media that this is exciting (controversial!) news for more than five minutes and not only when scaring a child.

      reply to this | link to this | view in chronology ]

  • identicon
    David, 25 Aug 2020 @ 1:43am

    "Dumb" is a technical term

    Consumer Reports Study Shows Many 'Smart' Doorbells Are Dumb, Lack Basic Security

    That is not "dumb", that is "stupid". "Dumb" has developed into a proper technical term usually meaning "does not do anything but its primary function".

    It may have once meant the opposite of "intelligent" with "intelligent" being a buzzword for "contains a microprocessor". But everything contains a microprocessor these days.

    Nowadays the dichotomy is more "smart"/"dumb". With "smart" being a marketing term for "rogue", doing things out of the control of its purported owner.

    reply to this | link to this | view in chronology ]

    • icon
      Ehud Gavron (profile), 25 Aug 2020 @ 8:14am

      Re: "Dumb" is a technical term

      Dumb wasn't the opposite of intelligent, it was unable to speak. Over time and people assuming those unable to speak were stupid, dumb came to mean that. Now its colloquial use is in the language.

      Oxford gives an informal definition:
      1.
      informal
      simplify or reduce the intellectual content of something so as to make it accessible to a larger number of people.
      "critics have accused publishers of dumbing down books"

      E

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 25 Aug 2020 @ 9:00am

        Re: Re: "Dumb" is a technical term

        That's the meaning of the verb phrase "to dumb down", rather than the verb "to dumb" (which apparently means "to silence").

        reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 25 Aug 2020 @ 9:03am

      Re: "Dumb" is a technical term

      "intelligent" being a buzzword for "contains a microprocessor"

      These days, "smart" seems to mean "on the internet". Those who believed being on the internet to be a sign of intelligence were proven wrong in September 1993.

      reply to this | link to this | view in chronology ]

  • icon
    Scary Devil Monastery (profile), 25 Aug 2020 @ 7:28am

    "Many 'Smart' Doorbells Are Dumb"

    Should we take that to mean that a lot of gullible idiots are essentially mounting dumbbells on their doors?

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 25 Aug 2020 @ 11:58am

    Locks can only do so much. If someone wants to get into your house, a lock only slows them down a little bit. Foe me, I put up good security cameras around my house that see each other also. So I'd rather they see my cameras, which our out in the open and can be seen easily. they see that and go, Ummm why not go after a easier target. I don't want them even walking up to my house. You can see my cameras from the sidewalk. They're on the sides of my house and backyand also.

    My cameras are recording 24/7. You can see the 2 RED LED's at night that give them great night vision. They work!!! I'll stick with my normal locks and my $15 wireless doorbell.

    reply to this | link to this | view in chronology ]

  • icon
    james lee (profile), 25 Aug 2020 @ 9:43pm

    Get free robux

    You should try this free robux for kids this is the best solution for free robux coupons.<a href="https://rblxgg.co//">Get Free Robux</a>.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Special Affiliate Offer

Essential Reading
Techdirt Insider Chat
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.