Perhaps, Don’t Trust Your Doorbell!

“Alexa, tell me a spooky story?” … “Thank you. Yes. Amazon monitors its door bells. Here’s an interesting fact. Their doorbells were pressed 15.8 million times at Halloween. And they have been sending passwords in plaintext over an unencrypted channel”

This week, I gave a few demos of the insecurity of IoT devices at the Digit Expo. This included capturing encrypted Bluetooth packets from a heart rate monitor, and then cracking them within seconds:

Virtually every IoT device we have tested has some form of vulnerability.

And, so, if Amazon can’t even produce a secure doorbell for you home, we really must worry about all the other devices that are flooding into your home … your smart kettle, your smart TV, your smart fridge, and your smart microwave oven.

Overall Bitdefender found that the Amazon doorbell used an unencrypted HTTP connection to send usernames and passwords in plain text. This would allow any intruder with a scanner to simply view the login details with Wireshark, and then take over the doorbell (and, of course, let themselves into your home).