Bzzzzzzt! How safe is that keenly priced digital doorbell?

It’s the fourth Thursday in November, so it’s not just a day for saying “Happy Thanksgiving” to our US readers…

…but also a day for thinking about the cool new gadgets you have in mind for your Black Friday shopping spree tomorrow.

(Is it just us, or has Cyber Monday disappeared as a concept now that “Black Friday” is almost entirely online anyway, and seems to apply pretty much all day, every day from weeks before Thanksgiving to weeks afterwards?)

We don’t doubt that many people’s wish lists are topped out with new or newish devices such as Google Pixels, Apple iPhones, Sony PS5s and Microsoft Xboxen – if you can get them, that is.

But it’s not just the latest phones and gaming consoles that fill the Black Friday carts.

Home automation gadgets are popular purchases, too – especially if they look as though they’re top-notch products at bargain-basement prices.

That rings a bell

With that in mind, UK consumer magazine Which? recently went online and bought 11 different digital doorbells – a type of IoT device made popular by the Ring product – to see how they stacked up.

In theory, at least, a wireless doorbell is a splendid idea: you don’t need to drill a hole in your doorframe to shove a wire through; you can put the ringer wherever you like; you can take it with you when you move; and, thanks to the diminutive size of video cameras these days, many IoT doorbells let you see who’s calling, even when you’re not at home.

(With digital doorbells, you can also change the ring tone at will – you aren’t stuck forever with that two-tone chime that sounded so delightful at first but that you now regret.)

In other words, a wireless video doorbell sounds – pun intended! – as though it ought not only to simplify the DIY task of installing it but also to improve your home security as soon as it’s turned on.

In practice, of course, there’s a lot that can go wrong with internet-enabled doorbells.

You might end up reducing both your physical and online security at the same time.

Your physical privacy and security could be harmed because of the live video features of the doorbell – exploited by crooks or creeps to spy on you instead of helping you keep an eye out for them.

And your online security could be harmed because most digital doorbells need to be hooked up to your home Wi-Fi, thus potentially bringing exploitable software vulnerabilities or privacy-busting data collection “features” right onto your own network.

Cause for concern

As you have probably already figured out if you looked at the headline and the subtitle of the Which? article above, the results of the magazine’s experiment give real cause for concern:

The smart video doorbells letting hackers into your home.

All 11 doorbells we tested demonstrated high-risk security issues. [Which? 2020-11-23]

For what it’s worth, we might not describe all the vulnerabilities that Which? found as “high-risk” ourselves, given that it seems some of them aren’t irremediably baked into the affected devices and can be avoided by taking the time to set up the devices correctly, such as picking a proper password…

…but “high-risk” was the adjective that Which? chose, and we aren’t going to argue with their reasoning.

Sure, a device that arrives with a weak (and widely-known) default password can easily be made more secure at install time.

But if that’s what you expect new users to do, why not ship the device in a configuration that will prevent it working at all until it is set up properly?

Indeed, as Which? points out, UK regulations proposed at the start of 2020 for IoT devices would prohibit default passwords altogether:

All consumer internet-connected device passwords must be unique and not resettable to any universal factory setting.

Pick of the worst

Ironically, if we wanted to take issue with the word “high-risk”, it would be that for some of the flaws reported, the term simply isn’t strong enough, and “critical vulnerability” might be a better choice.

Here are three of the security holes that Which? found:

  • One product uploaded the local Wi-Fi password to the vendor’s servers in China unencrypted. Not only does the maker of the device have no need for your wireless password, sending it unencrypted means anyone snooping in the network along the way could retrieve it and sell it on.
  • A second product could be detached from your front door and stolen using a mobile phone SIM ejector tool (a thin metal pin on the end of a miniature handle), even though any data stored on it – presumably including images of recent visitors and your Wi-Fi password – was unencrypted.
  • A third device could be forced back into ‘setup’ mode at will from outside your house, essentially allowing crooks to turn it off before burgling your property.

What to do?

We wish we could give you some simple technical tricks that would let you tell good and bad home gadgets apart before buying them, or even suggest a reliable and practicable way to tell a well-secured device from a badly programmed one after setting it up.

Unfortunately, things aren’t that straightforward – and, ironically, finding privacy and security holes in devices that do “a bit of cybersecurity but not enough” can be surprisingly difficult.

(As an example, the researchers at Which? would have had to do a lot more work to detect the exfiltrated Wi-Fi password mentioned above if the device had used an encrypted connection to call home in the first place.)

So, here are four “buyer beware” tips to help you keep risky devices out of your home network:

  • 1. Ignore online reviews on merchant sites. You have no idea who wrote those reviews or gave the product a good score. Which? reported that most of the 11 flawed doorbell devices they chose had “[20 or more] 5-star reviews.” Sadly, there’s a plentiful supply of fake reviewers out there who will promote products they’ve never seen, let alone used, often for very modest amounts of money.
  • 2. Don’t be deceived by name or looks. Budget devices are easy to build so they look similar to devices that have a good reputation. Also, many different-looking products are made by the same manufacturer, based on identical hardware and software, and then branded to look like different devices for a range of affiliate merchants. In short, just because a device looks like a known-good product means very little; and just because a device looks completely different from one you already know to be bad doesn’t really help you decide, either.
  • 3. Talk to someone you know and trust to help you judge. Some home device vendors have a good reputation for security, including providing prompt updates if vulnerabilities are found. Look for independent and objective advice to confirm that’s the case for any devices you plan to buy, to ensure that you are looking at the real deal, and that you are buying the right model.
  • 4. Be prepared to write off devices that don’t shape up. If you discover that a home device you bought has dangerous flaws and won’t be getting updates – and for cheap devices from budget merchants, that often happens – then ask for your money back. If you can’t get it back, be willing to get rid of the flawed device (please recycle responsibly!) and take the financial loss on the chin. Then GOTO 1.

Simply put, if in doubt, leave it out.

When it comes to home security gadgets, don’t risk making your security worse than it was before – you might as well keep your money in your pocket.