Vulnerability allows any user to launch commands through insecure web server

A security researcher has disclosed a serious vulnerability in a first-generation ‘smart’ doorbell that could, quite literally, open the door to malicious hackers.

The dbell WiFi Smart Video Doorbell (DB01-S) was found to have no authentication mechanism to prevent a remote attacker from launching commands.

Noah Clements, 19, who details his findings in a recent blog post (non-HTTPS link), said that if the IoT device was connected to a lock via a relay switch, an attacker would be able to open the associated door without any authorization required.

This is due to the parameters of loginuse and loginpass, which allow for arbitrary values through TCP port 81.

“You can put absolutely whatever you want as the username and password values and it will execute,” Clements said in the post published on Monday.

“It is not limited to opening the lock either, any .cgi function that is on the webserver can be executed without it properly validating the input.”

Clements privately disclosed his findings to dbell on July 4. The vendor responded by stating that the product in question had been discontinued three years ago.

Clements said that he then asked dbell to publicly disclose the vulnerability, which allegedly led the company to threaten him with legal action.

A series of hostile email exchanges is said to have followed – on September 26 the company was given two weeks to publicly disclose the vulnerability after Clement received guidance from the Canadian Internet Policy and Public Interest Clinic (CIPPIC). 

“This exploit is, as far as I know, un-patchable on dbell’s end,” Clements told The Daily Swig.

“The only mitigations I could think of would be to disconnect it from the internet, however that would remove a lot of the ‘smart’ capabilities.”

The Daily Swig has reached out to dbell and asked whether it plans to notify its customers about the product’s potential security risks, along with an estimate on how many DB01-S have likely been purchased since it first became available in 2016.

The issue has been allocated as CVE-2019-13336, and is also detailed on the National Vulnerability Database (NVD).

Clements has not yet tested any other dbell products for similar vulnerabilities – this was his first vulnerability disclosure.

IoT security remains a hot topic, with many companies forgoing security tests in their rush to get a product to market.

In 2016, for instance, Pen Test Partners security firm disclosed a firmware issue in The Ring, another smart doorbell that would have allowed attackers to steal a user's WiFi key.

The company, in this case, responded to the disclosure in a timely fashion.

YOU MIGHT ALSO LIKE Security flaws discovered in ‘kids friendly’ GPS trackers