Your smart doorbell may let in unwanted visitors
It seems everything can be put online these days -- lights, window shades, door locks, refrigerators, crock pots, you name it. One popular item being advertised vigorously in the US is the smart doorbell. It's a nice idea as it allows the user to see who's at the door without opening it. You can even talk to visitors and all of this is done from an app on the smartphone, even if you aren't actually home.
But, as we've seen with other IoT devices, this isn't always safe. These days even your daughter's Barbie doll has security concerns.
Researchers at Pen Test Partners in the UK have delved into this new fad and found alarming results. They tested a doorbell called, simply, Ring. At $199 it's not exactly cheap, but customers who purchase it expect security from possible intruders. They get that to a certain extent -- someone who is hoping to forcefully enter the building and checking to see if anyone is home, can be stopped. Hackers, on the other hand, aren't slowed down.
The security team calls Ring genuinely useful and one of few IoT products they would use, however there is a big "but" involved. "To set it up, one has to connect it to your home Wi-Fi router. That requires that you give it your Wi-Fi key. Here’s where the problem lies", Pen Test Partners says.
It then proceeds to analyze all aspects of the device. First the hardware is fixed outside the door using two screws, making it easy to steal -- so much so that the company is offering free replacements for nabbed products.
That factor adds to the bigger problem, as pointed out in the study:
The doorbell is only secured to its back plate by two standard screws. This means that it is possible for an attacker to gain access to the homeowner’s wireless network by unscrewing the Ring, pressing the setup button and accessing the configuration URL.
As it is just a simple URL this can be performed quite easily from a mobile device such as a phone and could be performed without any visible form of tampering to the unit.
Ring has fixed this problem and it did so quickly after the researchers alerted them to it. Now its up to users to make sure their doorbells are up to date, which seems like a very strange thing to say.