Doorbells and IoT Security Certification: Retailers Need to Step Up

Introduction

Last July we announced our IoT Cybersecurity Education Program, providing free access to Binwalk Enterprise to help students learn about connected device cybersecurity. One of the early adopters has been Dr. TJ O’Connor, Assistant Professor at Florida Tech who used Binwalk Enterprise in his curriculum for the past two semesters.

Students Find Backdoors in Doorbells and Cameras

Today we published a guest blog by Dr. O’Connor and Daniel Campos, graduate student, outlining some of their research findings – and it is eye-opening, underscoring the insecurity of consumer devices.

While the blog is technical, they demonstrate dangerous backdoors in popular consumer doorbells and security cameras made by Merkury/Geeni that they purchased (and are still available) from top trusted retailers in the US such as Walmart, Amazon, Home Depot, Best Buy and more. The vulnerabilities include:

  • hard coded accounts that provide full access to the device
  • backdoors that when accessed explicitly skip logging in the audit log so there is no trace that the device was accessed
  • the ability for the vendor to remotely get a telnet session to capture audio and video data, bypassing the consumer’s firewall
  • a denial of service attack that renders the doorbell unusable

Violating Consumer Privacy… or worse

Backdoors like these will be used to completely violate consumers’ privacy by criminals, and put citizens’ security at risk when used by nation state hackers.

These aren’t the first doorbells and cameras to have horrible security – our friends at NCC Group recently published similar findings for other manufacturers whose products are sold by common retailers.

IoT Needs Cybersecurity Certification Labels

Just as you expect products you buy from name brand stores won’t catch on fire and burn down your house, consumers should demand that those same products won’t spy on them.

There are many emerging regulations pushing for IoT cybersecurity labeling to give consumers confidence in the products they buy. For instance UL 2900, ioXt Alliance, and the Singapore Cybersecurity Labelling Scheme to name a few. Labels allow consumers to make good purchasing decisions when it comes to cybersecurity, and force vendors to adopt secure development practices.

Retailers Need to Step Up

Labels also can be used by retailers to stop selling products that are insecure. Most retailers seem to be waiting for laws to be passed before stepping up to protect their customers.

They shouldn’t wait.

Retailers have an obligation to be proactive in pushing for proper cybersecurity in the IoT devices they sell. Think of it not only as doing something good for their customers, but as a differentiating factor in their retail strategy. Most people would prefer to shop at a place they know is looking out for their safety and best interests.

Retailers have policies to prevent selling products that burn down your house or make you sick – how about not selling horribly insecure IoT devices that turn your house into a hacker’s playground?