Data Security and Privacy Gaps Found in Video Doorbells by Consumer Reports' Tests
Our tests of 24 video doorbells revealed issues with five models
Video doorbells make it easy to see who’s at your door, a convenience that provides a sense of security. But like any internet-connected security camera, they’re also susceptible to hacking. So as part of Consumer Reports' ongoing efforts to protect consumers from hackers, we recently conducted data security and data privacy tests on the 24 video doorbells in our ratings, including five new models.
“Often these cameras are pointing out into public spaces, but you still don't want to give hackers the ready ability to see who's coming and going from your house, and when,” says Justin Brookman, director of privacy and technology policy for Consumer Reports.
Consumer Reports’ Digital Lab evaluates digital products and services for how well they protect consumers’ data privacy and security. The most critical findings from our tests of video doorbells concern security vulnerabilities we discovered in five models from four brands that can expose user data like email addresses and account passwords. The brands are:
You can skip ahead to read more on our security vulnerability findings.
Our tests also revealed that most video doorbells lack two-factor authentication, a widely used security feature that sends users a temporary, onetime passcode typically via text message, email, phone, or mobile app to use in addition to their password for logging into their accounts. With this feature enabled, a hacker can’t log in to your video doorbell account even if they have your password.
In fact, barely a quarter of the brands we tested have two-factor authentication. The only ones that have it are Arlo, August, Google Nest, Ring, and SimpliSafe.
In addition, many video doorbell manufacturers fail to minimize the amount of data they collect from users and don’t offer consumers an easy way to request a copy of their data and/or delete it.
Our experts in the Digital Lab use The Digital Standard, an open-source set of criteria for evaluating digital products and services that CR created with other organizations, to conduct our security and privacy tests, scoring video doorbells on more than 70 indicators. Through these tests, our researchers created data privacy and data security ratings for each doorbell.
For data security, we use special tools to see if video doorbells have various security measures, such as encryption. We also look for, among other features, two-factor authentication, automatic software updates, and email notifications for when a user logs in from a new device or IP address.
For data privacy, we examine privacy setting options and publicly available documents, such as privacy policies and terms of service, to see how manufacturers collect and use your data, including whether they disclose how they collect your data and whom they share it with.
We also use more specialized techniques to look for potential security vulnerabilities that hackers could exploit to access the camera or personal data. “Since these techniques may not be comparative from model to model, we don’t incorporate it into our ratings,” says Maria Rerecich, senior director of product testing at CR. “But we do it so we can inform manufacturers of any issues we find and get them to improve the security of their products. Ultimately, our goal is to protect consumers from people who want to do them harm.”
Here’s a closer look at our findings. CR members can see the results of our performance tests, such as video quality and response time, in our video doorbell ratings.
Most Video Doorbells Lack Two-Factor Authentication
Only five of the 16 doorbell brands we tested offered two-factor authentication. They are Arlo, August, Google Nest, Ring, and SimpliSafe. They all encourage or require users to enable the feature, instead of burying it in the settings of the doorbell app.
“It’s 2020. Multifactor authentication should really be standard on any security camera or video doorbell nowadays,” says Brookman. “It provides a basic layer of protection to help ensure that hackers can't access your camera feeds.”
The doorbell brands that lacked this security feature at the time of our tests are Blue by ADT, Eufy, Geeni, GoControl, LaView, Maximus, Netvue, Night Owl, Remo+, Toucan, and Wisenet. Consumer Reports reached out to these 11 brands to see whether they plan to add the feature. We received responses from six companies:
- Blue by ADT says its doorbell will get the feature “before the end of the year.”
- Eufy says it’s starting to deploy two-factor authentication in the U.S. now.
- Geeni says it will add the feature to its mobile app by Q4 2020.
- Kuna says it plans to release two-factor authentication for the Maximus doorbell in early October.
- Night Owl says it's going to release a new video doorbell in September that will offer two-factor authentication, but the feature will not come to existing doorbells.
- Wisenet says it’s in the early development stage for the feature and can’t yet provide a timeline for its release.
Two-factor authentication is a critical security feature that we look for in our data security tests, but it’s not the only criteria we use in our evaluation. All the models met many other data security criteria, and as a result they all scored well. Two models, from Arlo and Google Nest, received an Excellent rating for data security, while 12 models received a Very Good rating. They include video doorbells made by August, Blue by ADT, Ring, SimpliSafe, Toucan, and Wisenet.
Over the past two years, Ring has made news due to hacks of its doorbell and camera accounts, security vulnerabilities in its doorbells, and scrutiny of its police partnerships. But our tests, conducted from May to June, showed that the security of Ring devices was quite good.
“We actually found Ring’s doorbells to be better than many other video doorbells when it comes to security,” says Cody Feng, CR’s test engineer for privacy and security. “In general, more issues have likely been found in Ring products because they’re popular, and security researchers pay more attention to popular products.”
Video Doorbells Need Better Privacy Protections
In our data privacy tests, no video doorbell received an Excellent rating. And only one video doorbell, the SimpliSafe Doorbell Pro SS3, received a rating of Very Good.
The SimpliSafe model offers detailed policies that explain how the company handles users’ data, and has more safeguards for protecting your privacy, so your data is less likely to be used for unnecessary purposes or shared with irrelevant parties.
Most manufacturers collect more personal data than they need for their product to work, don’t give users control over their data, and don’t specify how long they retain data.
Half of the models in our tests received a Good rating for data privacy, including models from August, Blue by ADT, Google Nest, LaView, Ring, and Wisenet.
“These companies should only use your data to provide you a service,” says Brookman. “Anything beyond that, whether it’s analyzing video footage to identify faces or sharing information with police, should only be at the owner's direction.”
Other Security Vulnerabilities
Besides scoring companies on their data privacy and data security practices, we also check video doorbells for any security lapses that we feel should be addressed to better protect consumers.
These findings don’t factor into a doorbell’s Overall Score, but we still check for them because they could expose users' sensitive data, like email addresses, and passwords for accounts and WiFi networks. “These vulnerabilities can be easily fixed by a software update, and manufacturers should patch them for better data protection,” says Feng.
Since the manufacturers have yet to fix all but one of the 11 vulnerabilities we discovered, we can’t fully describe the issues since we want to avoid supplying information to potential hackers. However, we can tell you which models are affected, some of the risks facing consumers, and how the manufacturers responded to our findings.
Eufy: We found two vulnerabilities in the Eufy T8200 video doorbell, one of which exposes account information, such as email addresses and WiFi passwords. Eufy told CR that it has released an app update (v1.76) to fix the account information issue. If you own this doorbell and use an Android device, update to the latest version of the Eufy Security app.
GoControl: If you own a GoControl GC-DBC-1 video doorbell, your username and password could be leaked. GoControl has not responded to CR’s request to fix the problems.
LaView: We found two vulnerabilities in the LaView One Halo LV-PDB1630-U video doorbell, one of which exposes users’ WiFi names and passwords. LaView disagreed with the severity of one of the issues we found and has not said they will fix the other issue.
Netvue: We found four vulnerabilities in the Netvue VueBell Camera Video Doorbell NI-4011 and Netvue Belle AI video doorbells. Hackers could potentially access user passwords and find email addresses linked to accounts. Netvue described the issues we discovered as “low-risk hidden dangers.” Netvue representative Grace Zeng says, “We will improve and try our best to provide users with better and safer products and services." If you own a Netvue video doorbell, make sure you’re using the latest version of the Netvue mobile app in case the company implements fixes to resolve the issues.
Top Video Doorbells From CR’s Tests
Here are the top five models from our updated video doorbell ratings. They all rate Good or higher for data privacy and Very Good or higher for data security.