That's ironic: Doorbell security cameras are easily hackable, Florida Tech researchers find

Support local journalism and stay in the know. Unlimited digital access to floridatoday.com is only $3 for 3 months.

You buy a "smart" camera or doorbell connected to a wireless camera, thinking you've better secured your home and family.

But recent research at Florida Institute of Technology shows how easily — with just modest computer skills — hackers can undo that false sense of security, breaking in through digital backdoors to gain remote access to your private life. 

Welcome to the Internet of Things (IoT), where vulnerable sensors, software and networks collide to connect our world, but where voyeuristic and criminal elements often lurk to invade it.

Terrence O'Connor, an associate computer science professor at FIT, and his graduate student, Daniel Campos, found vulnerabilities in seven models of smart cameras and doorbells made by Geeni and its parent company, Merkury Innovations.

"The vulnerabilities could enable a remote attacker to gain privileges access to the devices, listen to all audio and video recorded on the devices, and ultimately use the devices to covertly spy on their users," O'Connor wrote on the ReFirm blog entry, entitled "The Case Against Smart Devices."

Their research also was recently featured in a column by The Washington Post.

Weak security measures allow an attacker to log in, and gain access to camera feeds, files and recordings, FIT's research found. All an attacker needs to do, in most cases, is to figure out the default password that came with the device.

On one device they tested, an attacker could hack in and leave behind no trace they were ever there.

They found significant vulnerabilities in four security cameras and three doorbells with wireless cameras connected to them — devices commonly sold at popular retailers such as Amazon and Walmart.

An attacker could control audio and video from the devices, delete files or download them, the researchers found.

The FIT researchers used the Binwalk Enterprise Internet of Things (IoT) devices security tool from ReFirm Labs "to reverse engineer" the firmware and find the vulnerabilities.

Read more:Florida Tech researcher dies

Read more:Florida Tech researchers say plastic bottle caps could help save Indian River Lagoon

ReFirm, based in Maryland, automates the process of finding security vulnerabilities in IoT devices. The company gave the FIT researchers free access to their security tool as part of the company's IoT Cybersecurity Education Program

 The FIT researchers reported the doorbell and camera vulnerabilities to both MITRE — a nonprofit that manages federally funded research — and the vendor in November 2020. It was a heads-up to the company on what will be Campos' graduate thesis.

"We regularly update our app and devices for security and performance updates," Sol Hedaya, a spokesman for Merkury, wrote in an email. "We appreciate and often work with security researchers, such as the disclosure that was recently released.

"We’ve encountered no exploits of these vulnerabilities," Hedaya added. "Most of the vulnerabilities noted were based on a single old model that has been discontinued for some time and represents less than 0.1% of our active devices."

Hedaya said fixes for a vulnerability in other models already have been completed, and updated firmware will be released this month. 

"Over the weekend we were able to start pushing updated security updates to supported devices which removes the vulnerabilities noted in the report," Hedaya wrote in an email Monday. "The updates pushed already cover over 88%+ of active cameras and we’re continuing to roll out additional fixes."

But it's not just Merkury's devices that have issues. 

"There are several companies that have had similar problems," O'Connor said.

The industry doesn't always notify consumers that certain devices are insecure or discontinued, he added, and that homeowners should stop using devices if companies won't fix vulnerabilities.

"If they're not going to apply a security patch to that device … I would not use it, because it's just too easy at a novice level for an attacker to get into that device and get access to people's personal moments," O'Connor said.

In a blog post, ReFirm Labs CEO Derick Naef said IoT devices should be required to have cybersecurity certification labels.

Many other IoT home devices, such as locks and digital voice assistance, are hackable as well. The researchers blame sloppy coding practices, small margins that limit software development and lax federal enforcement. 

The U.S. Department of Commerce's National Institute of Standards and Technology oversees security issues on smart devices, but does so by helping set industry standards, rather than by strict enforcement.

But a law passed year will force companies to tighten security on smart devices and cameras used by the government.

"What we try to do is illustrate to the consumer how vulnerable they are," O'Connor said. 

Jim Waymer is environment reporter at FLORIDA TODAY.

Contact Waymer at 321-242-3663                                         

or jwaymer@floridatoday.com.

Twitter: @JWayEnviro

Facebook: www.facebook.com/jim.waymer

Support local journalism:  It you would like to read more government and political news, and you are not a subscriber, please consider subscribing. For details, go to offers.floridatoday.com.

Jim Waymer is environment reporter at FLORIDA TODAY.

Contact Waymer at 321-242-3663                                         

or jwaymer@floridatoday.com.

Twitter: @JWayEnviro

Facebook: www.facebook.com/jim.waymer

Support local journalism:  It you would like to read more government and political news, and you are not a subscriber, please consider subscribing. For details, go to offers.floridatoday.com.