Walmart and Amazon are continuing to sell faulty smart doorbells and cameras filled with vulnerabilities that could expose customers’ sensitive information, according to research published Thursday.
The vulnerabilities, found in Geeni- and Merkury-branded security cameras and smart doorbells, would allow attackers to take full control of devices and remotely disable cameras through a denial of service attack in some cases, according to the research. In others, the flaws could allow for the the disclosure of sensitive information and unauthenticated access.
Some other exploits would allow attackers to gain remote access to a stream of one of the affected doorbell cameras.
The flaws variously affect Merkury/Geeni doorbell models GNC-CW013, GNC-CW025 and MI-CW024 and camera models GNC-CW003, GNC-CW010, GNC-CW028 and MI-CW017, according to the research. Merkury is Geeni’s parent company.
Advertisement
Security cameras and doorbells that connect to the internet have been plagued by flaws for years. Just last month a TechCrunch investigation revealed that Amazon’s Ring doorbell app Neighbors could expose users’ location and home addresses. Two years ago Ring customers’ passwords were exposed in a massive leak that could allow third parties to access live cameras feeds.
The research — conducted by TJ O’Connor, an assistant professor and the Cybersecurity Program Chair and Director of the IoT (internet of things) Security and Privacy Lab at Florida Institute of Technology, and his graduate student Daniel Campos — is a reminder that just because a security product is available for sale in popular retail stores, privacy and security may not be guaranteed.
O’Connor and Campos disclosed the flaws to MITRE and the company, Merkury Innovations, last November, but they have not yet been fixed, as The Washington Post first reported. Merkury spokesperson Sol Hedaya told CyberScoop in a statement fixes should be available later this month.
“We regularly update the security of our app and devices. We often work with security researchers like this to address theoretical vulnerabilities, and deeply appreciate the way in which the issues are raised and the ability to rectify and address them in a responsible manner,” Hedaya said, adding “we have no known exploits of any of these vulnerabilities.”
In the meantime, the flaws, some of which would leave no trace if exploited, are placing user security and privacy at risk, argues ReFirm Labs, whose software the researchers used to probe the products.
Advertisement
“Backdoors like these will be used tocompletely violate consumers’ privacyby criminals, and put citizens’security at riskwhen used by nation state hackers,” ReFirm Labs stated in a blog post.
Some of the flaws the researchers found could be exploited if attackers used default accounts to connect to vulnerable systems, due to default and static passwords being built into the firmware or because of static usernames and passwords being stored in a shared library, according to the research.
It’s a status quo that needs to change and retailers should step up, argues ReFirm Labs. Retailers could, for instance, use systematized labeling to alert customers to trustworthy products.
“Just as you expect products you buy from name brand stores won’t catch on fire and burn down your house, consumers should demand that those same products won’t spy on them,” ReFirm labs said. “Retailers have an obligation to be proactive in pushing for proper cybersecurity in the IoT devices they sell.”
The security of internet-connected devices is an issue that has gained the attention of lawmakers on Capitol Hill. But while lawmakers recently passed a bill that would address the security of internet of things in federal government purchases, there is still no federal legislation that addresses the conditions under which IoT devices can be sold to consumers safely.
FAQs
Geeni smart doorbells, cameras riddled with flaws, research finds? ›
Some of the flaws the researchers found could be exploited if attackers used default accounts to connect to vulnerable systems, due to default and static passwords being built into the firmware or because of static usernames and passwords being stored in a shared library, according to the research.
Can my Geeni camera be hacked? ›Researchers from the Florida Institute of Technology in Melbourne, Florida, looked at Merkury/Geeni GNC-CW013, GNC-CW025, MI-CW024 doorbells and GNC-CW003, GNC-CW010, GNC-CW028, MI-CW017 cameras models. They found that attackers could gain privileged access to devices and listen to all audio and video recorded.
Is Geeni a good product? ›Bottom Line. Geeni is a strong brand if you're looking for affordable security cameras with good video quality and a strong set of core features, but don't expect its cameras to be as smart as higher-end options such as Google Nest and Arlo.
Why does my Geeni doorbell camera keep going offline? ›To get your Geeni device back online, perform a power cycle on your connected devices. Restarting the devices refreshes their connection to your router and clears connection errors. Once the device restarts, give it a moment to initialize before checking its status on the app.
How long does Geeni camera last? ›Geeni smart camera
BATTERY LIFE IS AMAZING JUST HAVE TO CHARGE IT FOR A DAY AND ITS GOOD FOR MONTHS ON END.
Some of the flaws the researchers found could be exploited if attackers used default accounts to connect to vulnerable systems, due to default and static passwords being built into the firmware or because of static usernames and passwords being stored in a shared library, according to the research.
How do I know if someone is watching me through my camera? ›Unfortunately, there is no direct way to check if the camera or the microphone of your Android device is being accessed. However, there is a workaround for it. Android users can download an app called Access Dots from the Google Play Store which will notify users the same way iPhone does.
Who is Geeni owned by? ›Geeni is a trademark of Merkury Innovations LLC.
How secure are Geeni cameras? ›Geeni cameras are designed to be secure and difficult to hack. However, no system is perfect, and it is possible that a determined hacker could gain access to your camera.
Will Geeni camera work without WiFi? ›No, Geeni cameras cannot record without WiFi. However, they are designed to automatically reconnect to the WiFi network if the connection is lost, so in the event of a power outage or a disconnected router, the camera can still record.
Can someone else connect to my Geeni camera? ›
Yes, you can share Geeni devices. Note: The other user's number must be registered in the Geeni App .
What home cameras can be hacked? ›Can Home Security Cameras be Hacked? Any device connected to the internet can be hacked, and that includes home security cameras. Wired cameras are less vulnerable than Wi-Fi cameras, and those with local storage are less vulnerable than cameras that store video on a cloud-based server.
What indoor cameras Cannot be hacked? ›- Blue by ADT Indoor Camera.
- Wyze Pan Cam.
- Frontpoint Slimline Doorbell Camera.
- Abode Iota Gateway Cam.
- Haicam E23 Encryption Cam.
Geeni's app can control an unlimited amount of devices in an unlimited amount of locations. Your router may have a limit of how many devices can be connected to one router. 4. My Geeni device has a funny name.