Password Extraction Via Front Doorbell

Not a day goes by without another IoT security hack. If you’re wondering why you don’t want your front doorbell connected to the Internet, this hack should convince you.

The hack is unfathomably stupid. You press the button on the back of the unit that pairs the doorbell with your home WiFi network, and it transmits the password in the clear. Sigh. It’s since been fixed, and we suppose that’s a good thing, but we can’t resist thinking for a moment about an alternative implementation.

Imagine, like all previous non-IoT wireless doorbells, that the doorbell transmitted a not-very coded signal over an open frequency like 433 MHz to a receiver inside your home. Do the same with the video stream. Now the receiver can be connected to the Internet, and can be significantly more secure because it’s behind your locked front door. The attack surface presented to the outside world by the doorbell itself is small, and limited to faking a doorbell press or showing you pictures you don’t want to see. Yawn.

But because the outside doorbell unit could be connected to a network, it was. Now the attack surface extends into your home’s network, and if you’re like most people, the WiFi router was your only real defense.

Now we love the IoT, in principle. There are tons of interesting applications that need the sort of bandwidth or remote availability that the Internet provides. We’re just not convinced yet that a doorbell, or a fridge for that matter, meet the criteria. But it does add a hundred bucks to the price tag, so that’s good, right? What do you think? When does the risk of IoT justify the reward?

Thanks [Dielectric] for the tip!

52 thoughts on “Password Extraction Via Front Doorbell

  1. >>>Showing you pictures you don’t want to see
    Oh my. I’d sooo make a ‘haunted doorbell’ with this. I mean, transmitting images of ghosts on somebody’s front door view display while ringing a bell is somewhere in between a really good prank and quite sinister thing to do. I guess you could even overlay the video with external transmitter if you time your transmissions well enough – or synchronise them by receiving the original camera’s video at the same time.

  2. >”Now we love the IoT, in principle. There are tons of interesting applications that need the sort of bandwidth or remote availability that the Internet provides.”

    What might those be? I’m not being facetious, I’d really like to know what people think the big application for this level of connectivity is, because I’m at a bit of a loss and clearly it’s going to have security issues I can’t see offsetting any potential utility at this point.

    1. IOT is awesome for stealing money from people. while in reality 99.997% of all uses do NOT require IOT but instead wireless things that connect to a small processor/hub that does the work and keeps everything private.

      But that does not extract a monthly fee out of a person’s pocket or allow you to sell all their data, there fore IOT is the way to go!

      100% of all this IOT crap can be done better with local processing and then send only the requested data out over the internet to the persons phone. Zero requirement for everything to go to a server out there in the cloud that has poor reliability and zero security.

        1. I’m jumping on this bandwagon a bit, too. While I think there are numerous both deep and potential uses for the ‘network’, I think we are faced with the marketing of the ‘application’ before the availability of the more novel technology– (i.e. I can imagine the novel amazement at walking through a large city {or forest, even}, with the accented sight recognition of AR– Not ‘all’, but at least a ‘portion’ of Alexandria (and now) at a glance). Instead we have Oculus and refrigerators, more reasons to return to the basement.

      1. As far as I can see, the issue with a 433 MHz / etc. Transmitter and a hub that deals with it and forwards the necessary bits to the Internet is:
        A) that hub will be massively overpriced – look at the price of Internet dongles for 433Mhz light/socket switches.
        B) they’ll never agree a common standard, so you’ll need one for every brand
        C) if it’s a sufficiently configurable hub to connect to any future device, it’s probably going to have as many security holes as a wifi based thing.
        It’s easy to do DIY if you’ve got the skills, but it’ll be really expensive as a consumer unit.

    2. The biggest thing right now is home security and monitoring. Mostly because its something that people already use but is having to transition from phone lines to the internet. Even something as simple as a vacation home temperature monitor. You used to be able to buy little boxes that could call you if the temp dropped too low. Theres a market for a good cheap version of the same device but internet based.

    3. I think the IoT is going to be a lot like the internet bubble, remember that, people will just throw everything they can think of against the wall and see what sticks, in 20 years we will have the IoT things people really want (and hopefully with proper security) and the stupid things (like f**king internet connected doorbells) will just be things people think of when talking about stupid ideas.

      1. Well indeed I can recall back in he late 1970’s everyone was asking “what can you do with a home computer?” and stupid answers like using them to store recipes were offered up, but even then those of us that were using them at work knew that there was far more potential in them than that. But I just can’t see that sort of future for IoT.

  3. Isn’t the biggest risk here that someone can just pop off and walk away with a $100+ door bell rather than gain access to the wireless network. If you are worried about IoT devices, put them on their own Wi-Fi network which you can independantly lock down.

    1. $100 doorbell they can’t use or sell except for parts. you can not pair one to another account until the current owner releases it. So a few will get stolen by crackheads, but they wont get more than $5.00 for them at a pawn shop.

      1. I once asked a police officer why someone would break a car window causing hundreds of dollars of damage just to get the spare change in a cupholder. The officer said because it didn’t cost them anything to break the window. $5 at a pawn shop is still $5 they didn’t have the day before.

        1. “The officer said because it didn’t cost them anything to break the window.”
          It costs nothing because he is leaving risk out of the equation. If you add probability and risk to that equation, the cost of breaking a window isn’t free.

          1. The cost to the cop is zero, so he/she does not care. The cost to that persons car insurance (if covered for vandalism), and the added cost of the insurance if the insurance company raises that persons rate- priceless.

  4. >It’s since been fixed

    sweet, have they fixed 3-5 second ringing lag too? when someone rings your magic Internet of Shit doorbell this button press is routed thru half the world to some cloud server, so is the video stream.

    1. When I’m playing an online FPS and I press a button, that’s routed to the server and then to the other player in less than 200ms. If they’re getting a 3-5 second latency, something else is being slow; the Internet is pretty fast at routing packets.

        1. And the PoE electronics need not be that expensive: Silvertel seems to have modules at a reasonable price (Ag9705-2BR: $7.29@1pcs for 5V, 9W with internal diode bridges).
          I haven’t used them yet as I don’t have a PoE switch – which in itself carries a premium.

        2. I think he means connectors with integrated magnetics. Most don’t have the PoE pair (or center tap for gigabit) broken out. They exist, but are indeed quite a bit more expensive than a connector without PoE. Of course, you can just use a random RJ45 connector and a transformer.

  5. I think I’l loosing faith in this site. First of all, this news is a month old. Second when the security researchers contacted the company about it, they release a fix before the news was released publicly. Everything will has flaws. What I expect is quick fixes when found. So unless you want perfection and then nothing new will ever come out, then that is the best you can expect.

    1. OK, I’ll take the hit for the month old news since I submitted the link. Feel better now?

      Second, this kind of thing SHOULD NEVER BE RELEASED. Shame on the engineer who let it leave the building. Like it or not, IoT is the next new thing and tons of terrible things will be put out there. Publicize the easy fails like this as a warning to others, and look for dumb vulnerabilities in your own stuff too.

        1. _THIS_ mistake should never happen. For anyone educated in software engineering or (embedded) programming, it should be very much extremely clear that transmitting a password in the clear over a shared medium is asking for trouble.

        2. There’s a difference between “a race condition causes a crash that could result in privilege escalation if the stack is set up properly” and “changing the UID in an HTTP GET request lets me change another user’s data.” There are security bugs, and there are security stupid-security101-mistakes.

        3. There’s a step called Quality Assurance. You give your bit of hardware or software to people with various skill levels, who have not at all been involved with the development – and take notes on the many creative and unforeseen ways they find to break it.

          That’s what resulted in the iPhone 4’s antenna gap being placed precisely where most right handed users would rest the tip of their little finger. The engineers knew that would short the antenna so in their testing would never hold it that way. I presume that in consumer testing (if they actually did any) they either got lucky where nobody shorted the antenna or that all tests were conducted in locations with the best cell signal strength ever, or testers were instructed to mind the gap.

          Sending a crew out to a couple of small towns with middling poor AT&T service then just handing out a few phones to people with no instructions on how to hold or use the phone would have quickly revealed the antenna error – assuming the engineers wouldn’t blow off the reports “Nothing wrong with our design! They just have to learn how to hold the phone properly.”

        4. I can tell either you guys are not developers or are new have have never had to produce products that go to a large group of people who like breaking things. I’ve spend over 20 years developing and I can tell you for sure. Software will never be bug free, will never be bug free and the best you can expect is the company be honest about it and it quickly.

          Bugs like this looks simple in retrospect, but trying to think of them all up front is not possible.

          Also remember to exploit this bug, you would have to walk up to the camera while being recorded, remove the device, most likely in street view and then you will just get this WIFI password. There are much safety ways to get it.

  6. There is no actual fix for this. NAND or SDRAM forensics reveal even encrypted WPA2 PSK even if you have some key exchange system where it’s only in SDRAM. You can take the unit off treated lumber or vinyl siding with your bare hands and there is a battery to preserve SDRAM..

    There is probably remote code execution in the software too and this unit transmits a lot of allocated data..

  7. I want to hack car infotainment systems. Spontaneously show people dinosaurs in their backup camera screens, and pipe roars through the audio. Not really, but that’s how a prankster thinks.

  8. WiFi was never designed for IoT and it is absolutely the wrong way to go.

    If you want secure IoT in a world where nodes can be easily stolen and analysed you cannot use a single shared key across the entire network, that is asking for trouble and a massive pain in the butt to fix once the key is compromised because you have to go a reconfigure every device on the network.

    A far better IoT system would have large key pairs for each device recruited onto the network so that the loss of any device would only require the revocation of it’s unique key and the analysis of a stolen device would tell you nothing about the credentials used by any other device on the network. Each IoT node only ever sees the router and the router controls packed flow at that level so your IoT doorbell can only ever change the status of a strictly defined block of data in a specific location. Any further sharing or processing of that data is done by a physically secured system that is locked down correctly so that in data flow back to the IoT device is equally constrained, if permitted at all.

    This stuff is not rocket science, most of it is standard best practice and common sense therefore person or company who is doing things differently needs a cerebral massage with a brick.

      1. I am talking about the scenario where there are so many devices that it is easy to steal one and get the key off it. In the way of a metaphor have you heard of people having their car stolen while they sleep because they leave their keys in a predictable place and the thief just sneaks in and takes then? It happens all the time. Except in this case you have 1 key and it opens everything you have. Tell me why that isn’t stupid?

        1. It’s as stupid as creating only 40 ‘secret’ encryption keys for DVD video – then distributing billions of copies of the ‘codebook’ inside all the DVD players and DVD ROM drives.

          Oh. Seems that some industries haven’t learned a damn thing about security since then.

          1. My understanding is that the pricier enterprise WiFi routers may be able to handle hundreds of SSIDs each with their own unique key but the WiFi standard is not optimised for that and the management traffic overhead blows out. And after all that you still can’t be sure of always being able to have 1 key per client.

            So unless you add another protocol such as SSH over the WiFi and then only route those packets and only when they are properly authenticated, what can you do? If you can get that working you don’t even need the WiFi keys as SSH is handling all of the pair interactions, but then you need bigger CPUs that use more power… damned if you do and dammed if you don’t.

            Any other ideas?

          2. I guess an option would be to use wpa2-enterprise and give each device its own username/password to connect to WiFi (so you can spot if a second device with the same credentials appears), coupled with perhaps enabling client isolation on the router.

          3. I researched that briefly, there was a huge cost issue and the management traffic overhead was a problem too, at best it looked like half a solution. The issue still seems to be that WiFi was never intended to be for a massive roll-out and management of IoT micro devices.

  9. As a delivery driver, the ability to ring someone’s doorbell over the internet sound absolutely amazing. Almost every delivery I am ringing doorbell, beating on the door or calling them to get them to come to the door. It takes the average delivery 5 minutes to answer the door and calling ahead of time isn’t much of an option when police will pull you over for talking into a phone while driving (I don’t want to talk while driving anyway, that’s a safety issue).

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s