11 smart doorbells purchased from online marketplaces have failed Which? security tests, in the latest example of smart products that could pose a risk to you and your home.
Smart doorbells with cameras let you see who's at the door without getting up off the sofa, but in-depth security testing has found some are leaving your home wide open to uninvited guests.
With internet-connected smart tech on the rise, smart doorbells are a common sight on UK streets.Popular models, such as Ring and Nest doorbells, are expensive, but scores of similar looking devices have popped up on Amazon, eBay and Wish at a fraction of the price.
They look similar and promise comparable features, but Which? worked with expert cybersecurity researchers, NCC Group, to find that some of these devices have serious vulnerabilities.
We tested 11 different doorbells found on eBay and Amazon, many of which had scores of 5-star reviews, were recommended as 'Amazon's Choice', or on the bestseller list. One was labelled as the number one bestseller in 'door viewers'. We found vulnerabilities with every single one.
The model we tested - the Victure VD300 - sends your wi-fi name and password to servers in China unencrypted. Any hacker able to intercept this data could waltz right into your home network and gain access to other devices on it.
This problematic doorbell is a number one bestseller on Amazon, with a review score of 4.3 out of 5 from over 1,000 ratings.
Even more concerningly, we found a another unbranded doorbell on Amazon that looked identical to this Victure model, and the experts at NCC Group confirmed it. It looked the same and had exactly same vulnerabilities. There's no telling how many cloned doorbells with similar or different chassis are using the same underlying, unsafe software and hardware.
Which? was contacted by a customer who purchased the Victure doorbell and was concerned by the findings. After the seller of the Victure doorbell declined to give a refund, we took the case directly to Amazon, who agreed to fully refund the customer.
Some of these flaws we found enabled the physical theft of the doorbell, or made it easy for an intruder to switch off the device.
The Qihoo 360 Smart Video Doorbell, which was available on Amazon, was easy to steal as criminals could simply detach it from the wall with a standard Sim-card ejector tool included with all smartphones. It can then be reset and sold on.
Your recordings aren't exactly secure either, as they are stored unencrypted.
A video doorbell from a brand called Ctronics had a critical vulnerability that could allow cybercriminals to steal the network password, and use that to hack not only the doorbells and the router, but also any other smart devices in the home, such as a thermostat, camera or potentially even a laptop.
The Victure doorbell we tested, above, also had these issues.
We found this unbranded model on eBay and while it looks similar to a Ring doorbell, it most certainly isn't. A flaw in this doorbell can easily revert it to a 'pairing' stage. This takes it offline and could enable a criminal to seize control of it to steal the doorbell, or just stop it from recording while they burgle the customers' home.
We contacted eBay, who put us in touch with the seller of the product. They then removed the listing from sale.
We found a range of other issues with the other doorbells we tested - which were all unbranded, or from brands little known outside of online marketplaces. This vulnerabilities included:
Every doorbell we test goes through a full internet security check so we can identify the sorts of vulnerabilities we've noted here. If find some then we won't recommend the doorbell.
There are certain things you can look out for when you're shopping or setting one up, too.
We contacted both Amazon and eBay with our findings.
Amazon said: 'We require all products offered in our store to comply with applicable laws and regulations and have developed industry-leading tools to prevent unsafe or non-compliant products from being listed in our stores.'
eBay responded: 'When a product is listed that violates our safety standards, we remove the listing straight away. These listings do not violate our safety standards but represent technical product issues that should be addressed with the seller or manufacturer. We have and will continue to facilitate discussions between Which? and the sellers so the concerns can be addressed.'
We also attempted to contact the manufacturers of the doorbells but could only find details for Accfly and Victure, who did not respond. We could not track down someone to contact for the other doorbells, as some had no branding at all.
Which? wants upcoming legislation to be backed by strong and effective enforcement, and for the chosen enforcement body to ultimately have the power to suspend, permanently ban from sale or recall non-compliant products where necessary.
We also want to see online marketplaces and retailers taking more responsibility for the safety and security of the products sold on their sites, regardless of whether the seller is a third-party.