Computer science student discovers privacy flaws in designs of eight security and doorbell cameras made by Google Nest, Samsung Ring, SimpliSafe and eight other manufacturers
Your doorbell cams and security cameras are not as private as you think. A young computer science student from the Florida Tech institute discovered that the connected doorbell cameras and security cameras had “systemic design flaws” in the doorbells and security cameras made by Ring, Nest, SimpliSafe, and eight other manufacturers.
Florida Tech computer science student Blake Janes found that the security cameras and doorbell cameras that had shared account allowed the deleted users to actually remain logged in and view the security video footage without the knowledge of the doorbell cam or security camera owner. All doorbell cameras and security cameras have shared account privilege which allows different people to view the security video footage like the owners, the police, the community watch, etc.. Janes found that when the doorbell camera or security camera owner removed the additional shared accounts from these cameras the dashboard showed these users as deleted but in fact, they could access the video footage.
This reflects a serious flaw in design by the doorbell cam and security camera makers which includes Google.
Janes discovered the flaw in the mechanism for removing user accounts does not let it work as intended on many camera systems because it does not remove active user accounts. This could allow potential “malicious actors” to exploit the flaw to retain access to the camera system indefinitely, covertly recording audio and video of the owners and result in cybercrime, stalking, extortion, and even fatalities.
The flaw is concerning in cases where, for example, two partners are sharing a residence and then divorce or leave each other. Each has access to the doorbell camera and security camera dashboard through Apps like Google Nest. Now, even if the owner removes the person leaving the house, that person can access the dashboard without a hitch. The flaw doesn’t even notify the person leaving the house about his/her account removal.
So in effect, the third person has access even though it has been revoked on the camera and Person A’s smartphone and the account password has been changed. Janes teamed up with two other academicians to present his findings in a paper, “Never Ending Story: Authentication and Access Control Design Flaws in Shared IoT Devices.”
Doorbells and security cameras affected by this issue
Janes found following doorbell cameras and security cameras vulnerable to this design flaw :
Google Nest Camera Current and DoorBell Current,
Geeni Mini Camera,
Doorbell and Pan/Tilt Camera,
Momentum Axel Camera,
Samsung Ring Pro Doorbell Current and Standard Doorbell Current,
SimpliSafe Camera and Doorbell,
and TP-Link Kasa Camera.
Janes informed the doorbell and security camera makers about the vulnerabilities. Google recognized the vulnerability as a serious flaw and awarded Janes a bug bounty of $3,133 for identifying a flaw in the Nest series of devices. Other vendors, including Samsung, have been communicating with Janes about recommended solutions to fix the vulnerability.
If you own a connected doorbell with a camera or a security camera manufactured by either of the above 12 companies, you should immediately update your firmware to mitigate this vulnerability.