refirm labs
  • Company
    • Leadership
    • Partners
    • Careers
    • News
    • Announcements
  • Products
    • Binwalk Enterprise (Centrifuge)
    • Binwalk Open Source
    • Product Comparison
  • Solutions
    • Enterprise IT
    • Industrial IoT
    • Telecom Providers
    • Device Manufacturers
    • Binwalk for Educators
  • Resources
  • Blog
  • Contact
  • Login
    • Binwalk Enterprise
    • Partner Portal
  • Get a DemoNew
refirm labs
refirm labs
  • Company
    • Leadership
    • Partners
    • Careers
    • News
    • Announcements
  • Products
    • Binwalk Enterprise (Centrifuge)
    • Binwalk Open Source
    • Product Comparison
  • Solutions
    • Enterprise IT
    • Industrial IoT
    • Telecom Providers
    • Device Manufacturers
    • Binwalk for Educators
  • Resources
  • Blog
  • Contact
  • Login
    • Binwalk Enterprise
    • Partner Portal
Get a Demo

Doorbells and IoT Security Certification: Retailers Need to Step Up

February 4, 2021

Introduction

Last July we announced our IoT Cybersecurity Education Program, providing free access to Binwalk Enterprise to help students learn about connected device cybersecurity. One of the early adopters has been Dr. TJ O’Connor, Assistant Professor at Florida Tech who used Binwalk Enterprise in his curriculum for the past two semesters.

Students Find Backdoors in Doorbells and Cameras

Today we published a guest blog by Dr. O’Connor and Daniel Campos, graduate student, outlining some of their research findings – and it is eye-opening, underscoring the insecurity of consumer devices.

While the blog is technical, they demonstrate dangerous backdoors in popular consumer doorbells and security cameras made by Merkury/Geeni that they purchased (and are still available) from top trusted retailers in the US such as Walmart, Amazon, Home Depot, Best Buy and more. The vulnerabilities include:

  • hard coded accounts that provide full access to the device
  • backdoors that when accessed explicitly skip logging in the audit log so there is no trace that the device was accessed
  • the ability for the vendor to remotely get a telnet session to capture audio and video data, bypassing the consumer’s firewall
  • a denial of service attack that renders the doorbell unusable

Violating Consumer Privacy… or worse

Backdoors like these will be used to completely violate consumers’ privacy by criminals, and put citizens’ security at risk when used by nation state hackers.

These aren’t the first doorbells and cameras to have horrible security – our friends at NCC Group recently published similar findings for other manufacturers whose products are sold by common retailers.

IoT Needs Cybersecurity Certification Labels

Just as you expect products you buy from name brand stores won’t catch on fire and burn down your house, consumers should demand that those same products won’t spy on them.

There are many emerging regulations pushing for IoT cybersecurity labeling to give consumers confidence in the products they buy. For instance UL 2900, ioXt Alliance, and the Singapore Cybersecurity Labelling Scheme to name a few. Labels allow consumers to make good purchasing decisions when it comes to cybersecurity, and force vendors to adopt secure development practices.

Retailers Need to Step Up

Labels also can be used by retailers to stop selling products that are insecure. Most retailers seem to be waiting for laws to be passed before stepping up to protect their customers.

They shouldn’t wait.

Retailers have an obligation to be proactive in pushing for proper cybersecurity in the IoT devices they sell. Think of it not only as doing something good for their customers, but as a differentiating factor in their retail strategy. Most people would prefer to shop at a place they know is looking out for their safety and best interests.

Retailers have policies to prevent selling products that burn down your house or make you sick – how about not selling horribly insecure IoT devices that turn your house into a hacker’s playground?

Share Post
Florida Tech Cybersecurity Res...
Merkury Smart Doorbell
Man on couch using mobile phone
Smart home devices with known ...

Recent Posts

  • Florida Tech Cybersecurity Researchers Discover Hidden Vulnerabilities in Wireless Doorbells, Cameras

    February 4, 2021

    The market for internet-connected smart doorbells and security cameras has grown substantially over the last couple of years. We recently discovered four significant vulnerabilities in ...
  • IoT Security Compliance and Enforcement

    January 4, 2021

    IoT devices will need to adopt the same basic security requirements and compliance seen in traditional IT systems. Read to learn more.
  • IoT Cybersecurity Act 2020

    November 24, 2020

    Last week the US Senate unanimously approved the IoT Cybersecurity Improvement Act of 2020, passing the bill onto the President for his signature. Why ...
See All >
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • ...
  • 10
  • >>

refirm labs Logo

8110 Maple Lawn Blvd.
Suite 200
Fulton, MD 20759

info@refirmlabs.com
Call +1 (240) 389-2443
Popular
  • About Us
  • Products
  • Resources
  • Blog
Solutions
  • Enterprise IT
  • Industrial IoT
  • Telecom Providers
  • Device Manufacturers

Facebook

  • Privacy Policy
  • Terms of Use

ReFirm Labs, Inc.