11 smart doorbells purchased from online marketplaces have failed Which? security tests, in the latest example of smart products that could pose a risk to you and your home.
Smart doorbells with cameras let you see who’s at the door without getting up off the sofa, but in-depth security testing has found some are leaving your home wide open to uninvited guests.
With internet-connected smart tech on the rise, smart doorbells are a common sight on UK streets. Popular models, such as Ring and Nest doorbells, are expensive, but scores of similar looking devices have popped up on Amazon, eBay and Wish at a fraction of the price.
They look similar and promise comparable features, but Which? worked with expert cybersecurity researchers, NCC Group, to find that some of these devices have serious vulnerabilities.
Browse all our smart doorbell reviews to find a model you can trust.
Unsecure doorbells from little-known brands
We tested 11 different doorbells found on eBay and Amazon, many of which had scores of 5-star reviews, were recommended as ‘Amazon’s Choice’, or on the bestseller list. One was labelled as the number one bestseller in ‘door viewers’. We found vulnerabilities with every single one.
Victure Smart Video Doorbell Camera
At around £90 this is close to some Ring doorbells in terms of cost, but miles behind them when it comes to security. We’ve found issues with Victure products before, namely its wireless security camera.
The model we tested – the Victure VD300 – sends your wi-fi name and password to servers in China unencrypted. Any hacker able to intercept this data could waltz right into your home network and gain access to other devices on it.
This problematic doorbell is a number one bestseller on Amazon, with a review score of 4.3 out of 5 from over 1,000 ratings.
Even more concerningly, we found a another unbranded doorbell on Amazon that looked identical to this Victure model, and the experts at NCC Group confirmed it. It looked the same and had exactly same vulnerabilities. There’s no telling how many cloned doorbells with similar or different chassis are using the same underlying, unsafe software and hardware.
Which? was contacted by a customer who purchased the Victure doorbell and was concerned by the findings. After the seller of the Victure doorbell declined to give a refund, we took the case directly to Amazon, who agreed to fully refund the customer.
Qihoo 360 D819 Smart Video Doorbell
Some of these flaws we found enabled the physical theft of the doorbell, or made it easy for an intruder to switch off the device.
The Qihoo 360 Smart Video Doorbell, which was available on Amazon, was easy to steal as criminals could simply detach it from the wall with a standard Sim-card ejector tool included with all smartphones. It can then be reset and sold on.
Your recordings aren’t exactly secure either, as they are stored unencrypted.
Ctronics CT-WDB02 Wireless Video Doorbell
A video doorbell from a brand called Ctronics had a critical vulnerability that could allow cybercriminals to steal the network password, and use that to hack not only the doorbells and the router, but also any other smart devices in the home, such as a thermostat, camera or potentially even a laptop.
The Victure doorbell we tested, above, also had these issues.
Unbranded V5 Wifi Ring Doorbell
We found this unbranded model on eBay and while it looks similar to a Ring doorbell, it most certainly isn’t. A flaw in this doorbell can easily revert it to a ‘pairing’ stage. This takes it offline and could enable a criminal to seize control of it to steal the doorbell, or just stop it from recording while they burgle the customers’ home.
We contacted eBay, who put us in touch with the seller of the product. They then removed the listing from sale.
How to buy the best smart doorbell – all the information you need to choose the best doorbell for your home.
Other security issues with smart video doorbells
We found a range of other issues with the other doorbells we tested – which were all unbranded, or from brands little known outside of online marketplaces. This vulnerabilities included:
- KRACK – One device, bought from ebay without any clear brand associated with it, was vulnerable to a critical exploit called KRACK (Key Reinstallation AttaCKs). This is a vulnerability in the Wi-Fi authentication process that would allow an attacker to break the WPA-2 security on someone’s home wi-fi and so gain access to their network.
- Lack of data encryption – any device on your network has access to your wi-fi account and password, and some of the doorbells were sending that data unencrypted to Chinese servers. This means hackers could get access to this data and use it to infiltrate other devices connected on your network, including smartphones, tablets and laptops.
- Excessive data collection – how much does your doorbell really need to know about you? Far too much in some cases, such as the exact location of the device.
- Weak password policies – these models don’t prompt you to change your password and have a basic default one that would take a hacker seconds to suss out. They were also too easy to reset to the default password in some cases meaning someone could easily hack in. Use of default passwords would be illegal under the new IoT legislation proposed by the UK government.
How to keep your doorbell secure
Every doorbell we test goes through a full internet security check so we can identify the sorts of vulnerabilities we’ve noted here. If find some then we won’t recommend the doorbell.
There are certain things you can look out for when you’re shopping or setting one up, too.
- Look at the brand. If you haven’t heard of the brand, or there’s no brand at all, then you should be cautious. Trying searching for the brand to see if they have website or are easily contactable. If you can’t then you should give device a wide berth.
- Check the reviews. As our fake reviews investigations have shown, you can’t always trust the reviews on a product page. Look out for negative ones in particular, these will sometimes give you a better, more trustworthy indication of the true quality of a product.
- Change the password. This is true of any internet-connected device: always change the password. The most difficult to hack are made up of three random words.
- Keep it up to date. Software updates are rarely about adding features, more and often than not they are fixing issues and making your doorbell more secure. Check the settings to see if your doorbell updates automatically and update the app used to control it.
- Set up two-factor authentication. This isn’t always available, but if it’s an option then be sure to enable it. It adds an extra layer or security, usually by sending a unique code to your phone that is used to access the device in addition to a password. It’s very difficult for a hacker to access these unique codes.
What did the marketplaces say?
We contacted both Amazon and eBay with our findings.
Amazon said: ‘We require all products offered in our store to comply with applicable laws and regulations and have developed industry-leading tools to prevent unsafe or non-compliant products from being listed in our stores.’
eBay responded: ‘When a product is listed that violates our safety standards, we remove the listing straight away. These listings do not violate our safety standards but represent technical product issues that should be addressed with the seller or manufacturer. We have and will continue to facilitate discussions between Which? and the sellers so the concerns can be addressed.’
We also attempted to contact the manufacturers of the doorbells but could only find details for Accfly and Victure, who did not respond. We could not track down someone to contact for the other doorbells, as some had no branding at all.
Which calls for tougher action on smart products
Which? wants upcoming legislation to be backed by strong and effective enforcement, and for the chosen enforcement body to ultimately have the power to suspend, permanently ban from sale or recall non-compliant products where necessary.
We also want to see online marketplaces and retailers taking more responsibility for the safety and security of the products sold on their sites, regardless of whether the seller is a third-party.