The Washington PostDemocracy Dies in Darkness

The Cybersecurity 202: Smart home devices with known security flaws are still on the market, researchers say

Placeholder while article actions load

with Aaron Schaffer

Popular retailers including Amazon and Walmart are selling smart doorbells and other internet-connected devices with significant cybersecurity vulnerabilities, researchers at the Florida Institute of Technology found.

The new research adds to growing concerns about the proliferation of insecure smart-home devices online and the lack of government oversight protecting consumers from vulnerable devices.

TJ O'Connor, a computer science professor at Florida Institute of Technology, and his graduate student Daniel Campos say they found vulnerabilities in seven models of smart doorbells and cameras from device maker Geeni and its parent company Merkury Innovations.

The vulnerabilities, they say, provide hackers a range of ways to manipulate and control audio and video from the devices, including downloading or deleting files. In one model, researchers found a backdoor that allowed hackers to get in without leaving any signs that the device had been accessed.

The level of skill needed to pull off the attacks would be relatively low, O'Connor says. Most of the attacks relied on figuring out the default password that came with the device.

The researchers flagged the findings to Merkury in November, but the vulnerabilities have yet to be fixed, O'Connor says. 

Merkury is aware of the findings and said that its teams have been working on an update to patch the vulnerabilities scheduled to be released this month, spokesperson Sol Hedaya wrote in an email. Two of the models flagged by researchers “are discontinued product that sold very small quantity and which represent less than 0.1% of our active devices,” Hedaya added. 

"We regularly update the security of our app and devices," Hedaya said. “I would stress that we have no known exploits of any of these vulnerabilities.”

Users shopping for a smart doorbell online would probably be unaware of the issues.

It's not clear how many devices the updates would effect, but the models flagged by the researchers have accrued thousands of positive reviews across popular online retailers including Home Depot, Best Buy, Walmart and Amazon. 

“We require all vendors to follow applicable laws, regulations, and industry standards and will work directly with the vendor to look into these concerns, Christina Cornell, a spokeswoman with Home Depot, told The Washington Post. 

Best Buy and Walmart did not return a request for comment. Amazon did not provide a comment by deadline. (Amazon CEO Jeff Bezos owns The Washington Post.)

Vulnerabilities have shown up in Internet-connected home devices time and time again.

A student from O'Connor's lab in the spring discovered a separate set of design flaws in 11 other manufacturers of Internet-connected security cameras and doorbells. Vendors including Google and Samsung were quick to respond with fixes to the problem, O'Connor said. Google even offered the student a reward for finding the bug.

And in recent years there has been a string of incidents tied to popular home security device companies.

In 2019, malicious actors obtained user passwords to access the Amazon Ring accounts of multiple users, in some cases harassing families. Hackers have also accessed Google Nest cameras. Most recently, security camera company ADT was sued after its own employee accessed the cameras of more than 200 customers without authorization by exploiting what the lawsuit claims were inadequate security procedures.

Common among all these instances is that the hackers needed only very simple tools to get in. I like to call it the 1999 of hacking all over again, O'Connor says. The tools his lab uses to test Internet of Things devices would be novice level in the late '90s and are nowhere near the level of sophistication required to attack other trusted personal devices such as our laptops and phones.

O'Connor says there are some vendors taking security seriously, but that's not often publicized. Here's the thing: You walk into Best Buy and you look at that device, and you look at the device sitting next to it, and there's nothing that informs the consumer [which] vendor is doing it the right way, he says.

The Internet of Things is still a Wild West for security. 

Although there has been talk about pushing for third-party auditing standards such as those used to vet appliance safety, there's very little regulatory scrutiny, which experts say has contributed to security practices that are all over the map. 

The landscape of connected devices is only getting bigger. And according to researchers at Nokia, hackers are noticing: IoT devices were responsible for roughly a third of infections connected to mobile networks in 2020.

I can't put a refrigerator in my house unless it's gone through…testing to make sure that it's not going to explode, O'Connor says. But with very little oversight, there's a device that sits right next to my bed at my house that has a microphone attached to it. And there's a camera that points right at my living room.

Testing by manufacturers isn't uniform, experts say. 

ReFirm Labs co-founder and chief security officer Terry Dunlap says that in his experience working with manufacturers on vulnerabilities analysis, many aren't willing to cut into their bottom lines to audit security. ReFirm Labs provides open source software for IoT vulnerability research that was used by Florida Tech.

“No one seems to be taking secure coding seriously. I think it starts with the manufacturers,” says Dunlap. "I don't know who these people are hiring to code these devices but it's just sloppy programming."

It's clear that they're not undergoing testing because the vulnerabilities we're finding are very, very easy to find, O'Connor said.

Right now there's no federal law setting standards for Internet-connected devices before they reach consumers. A California law requiring manufacturers to introduce reasonable security features in Internet-connected devices went into effect in January 2020. The law helps prevent attacks relying on default passwords, such as those discovered by the Florida Tech researchers — but not much else.

A federal law passed last year could push some manufacturers to shape up. 

“These reports underscore the importance of strengthening cybersecurity in both the public and private sector, an issue I’ve long worked on,” Sen. Maggie Hassan (D-N.H.), co-sponsor of a bill signed into law last year introducing security requirements for IoT devices used by the government, said in a statement.

She said she hopes to “leverage the purchasing power of the federal government to incentivize better security for all internet-connected devices” with the new law.

But Dunlap, who consulted on early drafts of the legislation, was less certain.

“I think [manufacturers] are waiting to see what the ramifications are for government contractors in this,” he says. “It's voluntary compliance and it's all going to depend on the oversight of whose actually checking to make sure that these devices are in the compliance with the law.”

The keys

Hackers targeted Italian users with a fake version of WhatsApp.

Researchers found links between the fake WhatsApp download pages and Italian cybersecurity company Cy4Gate, Motherboard’s Lorenzo Franceschi-Bicchierai and Joseph Cox report

The fake apps were probably designed to allow hackers to then download spyware that could steal user data, Citizen Lab researcher Bill Marczak said. It is unclear what data the campaign yielded or who the campaign targeted.

Cy4Gate, which has pitched its surveillance tools to the Italian government, could face scrutiny by Facebook-owned WhatsApp, which has sued Israeli spyware company NSO Group for allegedly hacking the app.

There is no indication SolarWinds attack hit 2020 election systems, top cyber official says

Brandon Wales, the acting leader of the Cybersecurity and Infrastructure Security Agency, said that the far-reaching cyberattack is being viewed as a long-term intelligence-gathering operation. Wales also said that the intelligence community has completed its initial report on foreign interference efforts in the 2020 election, which is not expected to have any revelations beyond what has previously been reported.

Wales, who was speaking at the winter meeting of the National Association of Secretaries of State, previewed how the cybersecurity-focused agency will balance its efforts to combat cyberattacks and organized campaigns to spread false information, Reuters’s Chris Bing reports:

The House Armed Services Committee established a new cybersecurity subcommittee. 

Rep. Jim Langevin (D-R.I.) will lead the new committee, which has jurisdiction over Defense Department cybersecurity and operations. The move comes as U.S. officials face the fallout of a  Russian cyberattack on SolarWinds and other companies, which reportedly affected the Defense Department. Part of the new subcommittee's mandate will be looking at computer software acquired by DOD.

“As technology continues to advance at an incredibly rapid rate from artificial intelligence to biotechnology and everything in between — it is critical that the Armed Services Committee redoubles our efforts to bridge the gap between current capabilities and future requirements,” Armed Services Committee Chairman Adam Smith (R-Wash.) and Langevin said in a joint statement, later noting that “while we are proud of what has already been accomplished, we considered how a more targeted focus could help us achieve even more objectives in the domain.”

Industry news

  • IBM will award grants valued at $3 million to six school districts in the United State to help strengthen cybersecurity in schools, the company announced today. The grants will sponsor teams of IBM experts.
  • Stephen Binhak, a former member of Ken Starr's Whitewater team, is representing United Arab Emirates-based cybersecurity company DarkMatter and one of its founders in a U.S. lawsuit by an Al Jazeera anchor, Ghada Oueiss. She alleges that the Saudi and UAE governments conducted a hack and leak operation to undermine her character and career.


  • The House energy and commerce committee holds a hearing on fighting fraud and scams amid the coronavirus pandemic today at noon.
  • The “Identity, Authentication, and the Road Ahead” virtual conference takes place today and Friday. 
  • Anne Neuberger, the deputy national security adviser for cyber and emerging technology, speaks at a meeting of the National Security Telecommunications Advisory Committee on Feb. 10 at 1 p.m.

Chat room

The replies to this tweet about hacker representation in the media are worth checking out: