It’s the fourth Thursday in November, so it’s not just a day for saying “Happy Thanksgiving” to our US readers…
…but also a day for thinking about the cool new gadgets you have in mind for your Black Friday shopping spree tomorrow.
(Is it just us, or has Cyber Monday disappeared as a concept now that “Black Friday” is almost entirely online anyway, and seems to apply pretty much all day, every day from weeks before Thanksgiving to weeks afterwards?)
We don’t doubt that many people’s wish lists are topped out with new or newish devices such as Google Pixels, Apple iPhones, Sony PS5s and Microsoft Xboxen – if you can get them, that is.
But it’s not just the latest phones and gaming consoles that fill the Black Friday carts.
Home automation gadgets are popular purchases, too – especially if they look as though they’re top-notch products at bargain-basement prices.
That rings a bell
With that in mind, UK consumer magazine Which? recently went online and bought 11 different digital doorbells – a type of IoT device made popular by the Ring product – to see how they stacked up.
In theory, at least, a wireless doorbell is a splendid idea: you don’t need to drill a hole in your doorframe to shove a wire through; you can put the ringer wherever you like; you can take it with you when you move; and, thanks to the diminutive size of video cameras these days, many IoT doorbells let you see who’s calling, even when you’re not at home.
(With digital doorbells, you can also change the ring tone at will – you aren’t stuck forever with that two-tone chime that sounded so delightful at first but that you now regret.)
In other words, a wireless video doorbell sounds – pun intended! – as though it ought not only to simplify the DIY task of installing it but also to improve your home security as soon as it’s turned on.
In practice, of course, there’s a lot that can go wrong with internet-enabled doorbells.
You might end up reducing both your physical and online security at the same time.
Your physical privacy and security could be harmed because of the live video features of the doorbell – exploited by crooks or creeps to spy on you instead of helping you keep an eye out for them.
And your online security could be harmed because most digital doorbells need to be hooked up to your home Wi-Fi, thus potentially bringing exploitable software vulnerabilities or privacy-busting data collection “features” right onto your own network.
Cause for concern
As you have probably already figured out if you looked at the headline and the subtitle of the Which? article above, the results of the magazine’s experiment give real cause for concern:
The smart video doorbells letting hackers into your home.
All 11 doorbells we tested demonstrated high-risk security issues. [Which? 2020-11-23]
For what it’s worth, we might not describe all the vulnerabilities that Which? found as “high-risk” ourselves, given that it seems some of them aren’t irremediably baked into the affected devices and can be avoided by taking the time to set up the devices correctly, such as picking a proper password…
…but “high-risk” was the adjective that Which? chose, and we aren’t going to argue with their reasoning.
Sure, a device that arrives with a weak (and widely-known) default password can easily be made more secure at install time.
But if that’s what you expect new users to do, why not ship the device in a configuration that will prevent it working at all until it is set up properly?
Indeed, as Which? points out, UK regulations proposed at the start of 2020 for IoT devices would prohibit default passwords altogether:
All consumer internet-connected device passwords must be unique and not resettable to any universal factory setting.
Pick of the worst
Ironically, if we wanted to take issue with the word “high-risk”, it would be that for some of the flaws reported, the term simply isn’t strong enough, and “critical vulnerability” might be a better choice.
Here are three of the security holes that Which? found:
- One product uploaded the local Wi-Fi password to the vendor’s servers in China unencrypted. Not only does the maker of the device have no need for your wireless password, sending it unencrypted means anyone snooping in the network along the way could retrieve it and sell it on.
- A second product could be detached from your front door and stolen using a mobile phone SIM ejector tool (a thin metal pin on the end of a miniature handle), even though any data stored on it – presumably including images of recent visitors and your Wi-Fi password – was unencrypted.
- A third device could be forced back into ‘setup’ mode at will from outside your house, essentially allowing crooks to turn it off before burgling your property.
What to do?
We wish we could give you some simple technical tricks that would let you tell good and bad home gadgets apart before buying them, or even suggest a reliable and practicable way to tell a well-secured device from a badly programmed one after setting it up.
Unfortunately, things aren’t that straightforward – and, ironically, finding privacy and security holes in devices that do “a bit of cybersecurity but not enough” can be surprisingly difficult.
(As an example, the researchers at Which? would have had to do a lot more work to detect the exfiltrated Wi-Fi password mentioned above if the device had used an encrypted connection to call home in the first place.)
So, here are four “buyer beware” tips to help you keep risky devices out of your home network:
- 1. Ignore online reviews on merchant sites. You have no idea who wrote those reviews or gave the product a good score. Which? reported that most of the 11 flawed doorbell devices they chose had “[20 or more] 5-star reviews.” Sadly, there’s a plentiful supply of fake reviewers out there who will promote products they’ve never seen, let alone used, often for very modest amounts of money.
- 2. Don’t be deceived by name or looks. Budget devices are easy to build so they look similar to devices that have a good reputation. Also, many different-looking products are made by the same manufacturer, based on identical hardware and software, and then branded to look like different devices for a range of affiliate merchants. In short, just because a device looks like a known-good product means very little; and just because a device looks completely different from one you already know to be bad doesn’t really help you decide, either.
- 3. Talk to someone you know and trust to help you judge. Some home device vendors have a good reputation for security, including providing prompt updates if vulnerabilities are found. Look for independent and objective advice to confirm that’s the case for any devices you plan to buy, to ensure that you are looking at the real deal, and that you are buying the right model.
- 4. Be prepared to write off devices that don’t shape up. If you discover that a home device you bought has dangerous flaws and won’t be getting updates – and for cheap devices from budget merchants, that often happens – then ask for your money back. If you can’t get it back, be willing to get rid of the flawed device (please recycle responsibly!) and take the financial loss on the chin. Then
GOTO 1.
Simply put, if in doubt, leave it out.
When it comes to home security gadgets, don’t risk making your security worse than it was before – you might as well keep your money in your pocket.
Cassandra
Sadly, there’s a plentiful supply of fake reviewers out there who will promote products they’ve never seen,
Equally sadly there are a lot of people who thinking this is a “plug and play” bit of tech and because it “works”, post “genuine” reviews saying how good it is – oblivious to the likes of Sophos – or even Which!
The need for a “home internet security standard” is high, but given most of these items come from China, where I think they cut-and-paste the “required standards information” into their product info (it happened with the FFP2 masks that I ordered – they have “a BSI certificate”, but they don’t conform).
Mahhn
Can you please provide the product name of this one “One product uploaded the local Wi-Fi password to the vendor’s servers in China unencrypted.”
This anti-security device – literally doing the opposite of security should be exposed, and possibly followed up on as an attempt by that company/programmer/group to access peoples networks for criminal intent. If they get caught they will say “oops, unencrypted, could be anyone”. But those configurations are not mistakes. They are built that way by design.
Paul Ducklin
The specific model names and pics are in the Which? report. I didn’t list them here for two main reasons: [1] Which? did the work so they deserve the clicks (and that way the version of the report you see is the latest official one) [2] names are misleading, as mention in the article, because of “white boxing” (one core product, many brands/colours/looks).
Redditor
Look everyone! It’s another boomer scared of the future! Look and laugh!
Upstate Boomer (not a nuclear submarine!)
Why is this comment still here? It adds nothing to the conversation about the content and substance of the article. I’d delete it posthaste.
Paul Ducklin
Although I accept it’s probably “just a troll”, I was prepared to allow it because it reminds us that there really are people out there who see unregulated and unrestrained data collection by cloud services as progress… in other words, as long as something funky comes out of it (like being able to answer your doorbell while you are out), it’s worth throwing away, or at least voluntarily giving up on, your privacy. And thinking otherwise is written off as “old fashioned”, and therefore uncool, and therefore unnecessary.
Gary
Duck,
Excellent article – too many consumers that don’t understand the basics of how IoT devices work and just blindly assume that ‘it’s secure because the manufacturer says it is’. However, you didn’t mention the option (if possible on your home network equipment) of setting up a separate network for your IoT devices, so that items like a wireless doorbell are separate from your home computer(s), cell phone on Wi-Fi, etc., helping to create another layer of security for your home network. This would be especially helpful if item #4 is true, and it doesn’t shape up and does have flaws, you aren’t leaving your home network completely open to those flaws.
A possible item #5 for your list above (because we all know you like lists with 5 items in them – see the Naked Security Live recordings) would be if you are unfamiliar with how to properly secure your wireless network against these such devices, ask a friend that you trust to help you do so.
Paul Ducklin
Indeed. We have a Tips article (8 in that one!) elsewhere on Wi-Fi security and splitting up your network is one suggestion:
https://nakedsecurity.sophos.com/2020/10/08/8-tips-to-tighten-up-your-work-from-home-network/
Remember, however, splitting your network doesn’t stop personal data being uploaded to the vendor’s servers by mistake…
Steve
I would suggest a little tweak to your Tip #4: if you’re giving up on a device, then “recycling responsibly” should include first ensuring that you have fully deleted any and all data that might possibly be stored on it. And if you find that it is difficult or impossible to do so, then I submit that it would be better to utterly destroy the device – such as by taking a 12-gauge (or 12-bore, to some of you) to it – than to scrap it with your data intact.
Paul Ducklin
I thought of that but decided that describing how to destroy a device in a way that makes sure you wiped everything is a whole series of articles in its own right. (Blasting with a shotgun might not actually be enough to destroy every flash chip in the device, and would certainly create an environmental mess of plastic fragments.)
Hmmm. I think I feel some research coming on… I’d be interested to know how recycling centres deal with this issue. My local council tip is pretty strict (and careful) about segregating electronic waste that ought not to end up in landfill, and AFAIK electronics are recycle to recover any interesting metals because they actually have some value… but how that process happens and how reliably it prevents unauthorised attempts to recover lost data, I don’t know.
I suspect that “it’s all piled together in a big heap and removed en masse by truck once a week” is taken as a guarantee of sorts that any attempts by rogue staff to retrieve data for nefarious purposes would be shambolic and ineffective at best. But that’s not a very solid guarantee…
Cassandra
“it’s all piled together in a big heap and removed en masse by truck once a week”
That’s what they used to say about old corporate PCs – they got shipped abroad where their hard drives were retrieved and sold to the highest bidder – I think Channel4 (Despatches?) did an exposure of what was happening.
What does 10 minutes in the microwave do to such electronics? Could be a lot of sparking if there is a metal case – so possibly just 30 minutes as Gas Mark 8?
Paul Ducklin
Put it in three Sainsbury “bags for life” and pound it with a lump hammer? Then feed the detritus through a cross-cut shredder? (I have tried that – it worked but I don’t think the shredder was very happy afterwards because it was designed for paper.)
I wouldn’t put one in an oven, gas or electric. Fire hazard, health hazard, phthlate [?] hazard.
OTOH, if you have a friend with a blast furnace…
Bob
Or a crunchy pair of slip-joint pliers! And wear eye protection.
Bob
Hm. Is there some kind of test that a user could do? Like a penetration test. It would have to detect the device, determine that it was yours, then attempt a reset or image capture or the like.
Paul Ducklin
One complexity here is that many devices look fine when you probe them (e.g. using nmap) because they are cloud based and work by only ever making outbound connections. You can monitor those outbound connections for dodgy or leaky content, as the Which? folks did… but it’s hard to know, without decompiling the device firmware and figuring out what it sends, and when and why, whether you’ve seen (and understood) a representative sample.
Cassandra
Did Which? report the offenders to the Information Commissioner’s Office?
We need some sanction somehow on the manufacturers or retailers of this leaky equipment.
Paul Ducklin
I don’t know. The problem with regulations in the UK about IoT devices is (as you will see from this and from the Which? article) that the regulations that would help are still just at the proposal stage AFAIK, not even Bills in parliament yet. So there’s not really a lot to report.