Perhaps, Don’t Trust Your Doorbell!

This week, I gave a few demos of insecure devices at the Digit Expo. This included capturing encrypted Bluetooth packets from a heart rate…

Perhaps, Don’t Trust Your Doorbell!

“Alexa, tell me a spooky story?” … “Thank you. Yes. Amazon monitors its door bells. Here’s an interesting fact. Their doorbells were pressed 15.8 million times at Halloween. And they have been sending passwords in plaintext over an unencrypted channel”

This week, I gave a few demos of the insecurity of IoT devices at the Digit Expo. This included capturing encrypted Bluetooth packets from a heart rate monitor, and then cracking them within seconds:

Virtually every IoT device we have tested has some form of vulnerability.

And, so, if Amazon can’t even produce a secure doorbell for you home, we really must worry about all the other devices that are flooding into your home … your smart kettle, your smart TV, your smart fridge, and your smart microwave oven.

Overall Bitdefender found that the Amazon doorbell used an unencrypted HTTP connection to send usernames and passwords in plain text. This would allow any intruder with a scanner to simply view the login details with Wireshark, and then take over the doorbell (and, of course, let themselves into your home).

It basically happens when the doorbell is initially set up -or when it connects back into the wi-fi network, and then sends the username and password over the air. Amazon says they have now fixed the vulnerability, but the lack of thought in this is quite worrying.

Along with this, there have been some questions about the closeness of their relationship with law enforcement agencies in the development of the Ring doorbell, and where there may be special codes that they could be used by them in order to gain entry to homes. While this may be acceptable for high-risk crime, the same methods could easily be used by those who want to steal things from your home. There are very few things that can be kept secret in these types of devices, and secret codes can easily be detected.

Amazon, too, has even been bragging about the data that they collect from the doorbells, and where they said that its doorbell was used 15.8 million times in Halloween. They also promoted a Halloween skin for the doorbells, and scans of kids at doorbells:

Conclusions

It’s about time we designed things with security in mind. If Amazon needs others to tell them about a naive vulnerability, we must worry about all the other companies who blindly build spies in our home.