The U.K.-based security company NCC Group and consumer advocacy group Which? have found vulnerabilities in 11 “smart” doorbells sold on popular platforms like Amazon and eBay. CyberScoop reports: One flaw could allow a remote attacker to break into the wireless network by swiping login credentials. Another critical bug, which has been around for years, could enable attackers to intercept and manipulate data on the network. The investigation focused on doorbells made by often obscure vendors, but which nonetheless earned top reviews and featured prominently on Amazon and eBay. The researchers raised concerns that some of the devices were storing sensitive data, including location data and audio and video captured by the doorbell’s camera, on insecure servers. One device made by a company called Victure, for example, sent a user’s wireless name and password, unencrypted, to servers in China, according to the researchers.
In a statement, Amazon said it requires products sold on its site to be compliant with applicable laws and regulations, and that it has tools to detect “unsafe or non-compliant products from being listed in our stores.” eBay said it takes down listings that violate its safety standards, but that the devices flagged by the researchers did not meet that threshold. Victure did not immediately respond to a request for comment. The NCC Group-Which? team said they tried to contact the various vendors of the vulnerable smart doorbells, with mixed success. The unnamed vendor of one device, for example, removed an online listing for the product after the researchers shared their findings.
Read more of this story at Slashdot.