This article deserves more notice than it got....
The consumer advocacy group found issues with a dozen seemingly identical video doorbells sold under brand names including Eken and Tuck. All are made by the Eken Group, based in Shenzhen, China, and controlled through a mobile app called Aiwit, which Eken operates, CR said.
Eken and Tuck are not well-known brands in the video doorbell market, yet they are relatively strong sellers online. The doorbells appeared in multiple listings on Amazon, with more than 4,200 sold in January alone. Both brands are often touted as "Amazon's Choice: Overall Pick," CR stated.
What is the definition of an "Amazon's Choice"?
That's a good question, but arguably one of the better answers is probably "doesn't get returned often."
This much I can assure you -- Amazon doesn't verify the security chops of such an app or device and apparently neither does Google's Play Store other than by automated scan because despite this article and CR's warning the app is still on the Play Store and claims all data is encrypted in transit and none is collected.
This may be true, by the way.
But as I've noted repeatedly over the years when it comes to home security surveillance cameras are a special problem. The common protocol used to stream data, RTSP, dates to 1998 and while there is a replacement as a "proposed standard" in RFC 2876 it is not backward-compatible and RTSP offers only authentication via a digest method for access and no security whatsoever on the payload which is live video and audio!
There is a serious tension between the cost of IP cameras and encryption, in that encryption is not "free" on a CPU cycle basis and making cameras that have two-digit costs before the decimal is fairly incompatible with real-time video encryption -- never mind the other issues that arise such as a lack of a published, reasonable standard for it that is interoperable across vendors and the certificate and keying management problems that have to have some sort of secure means of being resolved when you have these devices all over the place. The latter is serious as PKI (public key) has a cost too; that little "https" thing we all use isn't free to the site owner because the folks issuing it actually have to do work and their security has to be up to snuff or every certificate they issue can be compromised. In other words this is a material problem and not a trivial one to fix on a mass-marketed device, particularly when cost pressures are involved.
HomeDaemon, the software package I wrote quite some time ago but refuse to put into commercial channels for multiple reasons I've pointed out in the past, works with pretty-much any camera that can do RTSP and resolves the problem by insuring that the data never leaves your premises without being encrypted with strong, PFS-enabled security -- and it never goes to any sort of "cloud" system at all, only being decrypted on your phone. This narrows the PKI space to one device in your house which is the HomeDaemon gateway (but still has the PKI issue and, if done through public certification authorities such as is in use for this blog) still would have a recurring expense.
New rules are needed to hold online retailers accountable for vetting sellers and the product sold by their platforms, according to CR. It called on the Federal Trade Commission to stop the online sales of the doorbell cameras and on retailers to do more to ensure the quality of the products they sell.
Well, "stop the sale"? Entirely disagree. It should be up to an individual consumer whether they find the trade-off to be fair or not.
But force both the sellers and app publishers to be honest about the issues, yeah, how about that? And how about considering misrepresentation to be fraud (and throwing people in prison) when it occurs? And by the way, does this apply to the various "proprietary" cameras and such? I don't know, because I haven't bought one and looked into it but I'll guarantee given what we do know that the data is not secure on an end-to-end basis. I'd like to assume that the "Ring" (and related) versions don't share this issue in transport but those have potentially even more-serious trouble because they're all "cloud" enabled and while their data may be encrypted in transport it is not individually encrypted in storage with keying only the customer has and controls. This clearly is not the case otherwise we wouldn't have (as we do) various places that ask (and allow you to) "help" agencies of various sorts (e.g. police departments) access to said information.
Never mind that Amazon in particular at least back to last summer is known not to encrypt data "at rest" in their cloud storage because they paid a nearly $6 million fine to the FTC for allowing their workers to access RING camera video. You can't access what's encrypted with only the customer having the keying and thus the question as to whether such is stored "in the clear" is quite-conclusively known.
Why is the above a big deal? Because such "cloud" storage concentrates a whole bunch of said unencrypted data from different people and places into one place and thus makes that place a very juicy target. To compromise one camera and its data is bad if its your house that's targeted but to compromise one million cameras at once is obviously much worse and thus it becomes effectively the same as a bank with a big sign on the front of the building stating "$100 million in gold bars is in our vault!"
If you do that you better be sure the vault is adequate to prevent anyone from breaking into it successfully to steal same and if they try they'll get caught before they get in.
My assumption is that any such device sold in the consumer marketplace is insecure in transport and any "cloud" storage unless you, personally, wrap all said transportation of data before it leaves your premises and you never use any of the offered "cloud" options at all. In the current product environment I have no way to make a recommendation that doesn't result in a severe privacy problem because there's no way to reasonably believe said data is secure in any of the commercial offerings.
In an environment where what is observed is public land (thus there's no expectation of privacy at all) it obviously does not really matter but as soon as that camera is pointing at private property, presumably yours, it matters a great deal and unfortunately in the current marketplace, as has been the case for several years now, there's no answer that I'm comfortable with recommending for purchase.
Maybe I'll decide to release HomeDaemon generally (without charging for it) at some point to resolve at least the "personal access only" problem side of the issue for those willing to put in some personal effort.