British consumer rights group Witch? Found vulnerabilities at all security levels in 11 different smart doorbells (IoT). The vulnerabilities were found in partnership with security researchers from the NCC Group.
The survey identified vulnerabilities at all levels, ranging from weak password policies (which allows criminals to guess the factory default password), excessive data collection and even lack of encryption, which allows cybercriminals to access exposed information with a low level of protection.
These vulnerabilities, especially the lack of encryption in the data collected, are ports that can lead to other more serious attacks such as find out the password for the network to which the bell is connected, allowing cybercriminals to access other devices connected to the same doorbell network.
The 11 tested devices were purchased on Amazon and eBay, two of the most popular e-commerce in the United States. Many of these devices were on bestseller lists, with positive reviews and ratings. Some even claimed to be “Amazon’s choice”.
The researchers found that the Victure VD300 smart doorbell, sold on Amazon for about $ 450, sends unencrypted information, including information from the Wiffi network that is connected for servers in China. The Qihoo 360 D819, also sold on Amazon for the same price range, records and stores the video without encryption.
Like Victure’s and Qihoo’s bells, Tronics’ CT-WDB 02 intelligent surveillance camera also has a vulnerability that allows attackers steal passwords from the network to which it is connected.
Some generic, non-branded devices tested by the NCC Group also have vulnerabilities that allow cybercriminals discover the WPA2 password of the Wi-Fi network, in addition to other flaws that if explored can make the equipment completely shut down.
The consumer rights group contacted Amazon and eBay about the results they found. EBay said it removed ads for the sale of vulnerable products. But Amazon said it works in compliance with the law, in addition to use “industry-leading” tools to prevent unsafe products from being sold on the site.
Source: Which?
See the original post at: https://thehack.com.br/campainhas-inteligentes-enviam-dados-nao-criptografados-para-china-e-podem-ser-facilmente-invadidas/?rand=48873
