IHS Markit says video doorbell use is on the rise, but are they safe?
Information and data experts at IHS Markit are reporting exponential growth of video doorbells which are outpacing conventional video door phones. But are they safe?
DING DONG: who's there? an IoT hack!
Following on from a mammoth US$ 13 billion (£9.9 billion) all-share merger of IHS and Markit, the company has released new research which is reporting that the growth of video doorbells is currently vastly outpacing conventional video door phones.
The report named Audio & Video Door Phones Report claims that global revenue from the sale of video doorbells will grow at a compound annual growth rate (CAGR) of 28.2 percent from 2016 to 2020, to reach approximately US$ 271 million (£206 million) in 2020.
This vastly outpaces the growth rate for competing conventional video door phones, a market that is forecast to grow at 3.5 percent CAGR over the same period.
The report explains that, in essence video doorbells have similar functionality to residential video door phones, with two-way audio and an integrated high-definition camera. The main difference is the outdoor unit is synced with a user's smartphone, rather than with a fixed indoor unit.
Speaking on the security of these types of devices, Andrew Tierney, security consultant for PenTest Partners told SCMagazineUK.com that: “They provide an ideal route onto your local network from outside the house. If they are wired, simply connect to the wires. If they are wireless, it's likely that the pre-shared key can be recovered at used. Realistically though, to be subject to a targeted attack like this, you need to be pretty special. As with many IoT devices, you are allowing a powerful embedded machine onto your network. Should an attacker gain control of the device, they have an ideal pivot point onto your home network. The barrier to being targeted like this is much lower. From a privacy perspective, a few people have complained about seeing other people's images, and they quite reliably leak when you are in the house or not. Again, you'd really need to be targeted for this to have a real impact on your life - a random doorbell picture is unlikely to impact you personally.”
According to the report, vendors in this emerging category have already announced partnerships with large residential security companies, and video doorbells will offer additional product options in the smart home and residential security businesses.
However Cesare Garlati, chief security strategist at prpl Foundation isn't as trusting of connected devices of this ilk: “You wouldn't just allow anyone through your front door, so why do people do it with their connected devices so willingly? When it comes to IoT in the home, people must realise that security of these devices just doesn't exist yet – which is ironic given that a large section of the marketplace is dedicated to “home security”.”
Garlati explained: “Consumers looking to purchase video doorbells and other smart home devices need to consider how they are connected and answer questions like: Do these systems really need a mobile app? Does the app really need to connect to a central server in the cloud? And most importantly, is it sound to have a smartphone control anything that is critical to you? These are all key questions to address when we look at IoT especially in the home as a vast majority will not use apps that are developed by the OEM, but rather assembled using a host of third parties – of which they have no control or visibility over.”
To try and combat this problem, Garlati says: “OEMs should implement open and interoperable standards in their devices and Home IoT Architecture should rely only on a local hub, and this hub should be secured. If researchers can break these devices, it's a safe bet that criminals may have already found a way in, too.”
Thomas Pore, head of IT at Plixer adds, “Early this year a vulnerability was disclosed involving one of the leading innovators. With physical access, you can open the unit, configure it as an access point, gain access, and reveal the homeowners Wi-Fi password.” In a targeted attack a malicious actor would simply wait for the homeowner to be away, sneak up, modify the doorbell, collect your password, and hack your network at a later date. The vulnerability was disclosed and a patch was pushed to all active units and will be patched to vulnerable shelf units as they come online.
Pore explains: “Consumers currently utilising this technology need to be aware that they put themselves at risk. The Wi-Fi password vulnerability was discovered by researchers, but what happens if the next vulnerability is discovered by a cyber-criminal and is not reported or made public? IoT devices will introduce more exposure to you and heighten the risk of getting hacked or extorted. For the early adopters of this technology, what will happen when the manufacturer releases the next unit currently in development and stops releasing firmware (security) patches?”