Multiple vulnerabilities in smart doorbells expose thousands of users

More and more security flaws are revealed every day in multiple smart doorbell brands. A recent report states that consumer-level devices are packed with severe vulnerabilities that expose users to credential theft, authentication failures, and other critical errors.

The report, by NCC Group, assessed the safety mechanisms on the doorbells of three manufacturers (Victure, Qihoo and Accfly) reaching unenting conclusions: “Companies continue to put for sale devices with multiple problems, which extend to imitation devices, extending the problem on a large scale,” the experts mention.

Researchers found all kinds of security issues, many of which could be easily exploited by threat actors. Some of the most baffling flaws relate to the mobile apps used to control these devices, demonstrating that possible attacks are varied.

Experts analyzed the following models:

  • Victure VD300
  • Accfly Smart Video Doorbell V5
  • Qihoo 360 D819 Smart Video Doorbell

A device identified only as Smart WiFi Doorbell, created with hardware from manufacturer YinXx, was also analyzed.

One of the main flaws was detected on the Qihoo device, which has an undocumented DNS service that would allow malware to be delivered to the user. On the other hand, experts found an undocumented HTTP service running on port 80 of the Victure ring.

About mobile apps to control these devices, experts found that most of them use unencrypted communications: “On some devices, HTTPS doesn’t even apply or exist; Victure’s mobile app even requests a root certificate through an HTTP request.” As you know, the absence of encryption would allow threat actors to access sensitive information on the device and app, including usernames, passwords, or configuration data.

Finally, experts mention that virtually all analyzed devices are affected by severe hardware-level design flaws, which would engage thousands of users, especially cloned devices.