The Cybersecurity 202: Smart home devices with known security flaws are still on the market, researchers say

TJ O’Connor, a computer science professor at Florida Institute of Technology, and his graduate student Daniel Campos say they found vulnerabilities in seven models of smart doorbells and cameras from device maker Geeni and its parent company Merkury Innovations.

The vulnerabilities, they say, provide hackers a range of ways to manipulate and control audio and video from the devices, including downloading or deleting files. In one model, researchers found a backdoor that allowed hackers to get in without leaving any signs that the device had been accessed.

The level of skill needed to pull off the attacks would be relatively low, O’Connor says. Most of the attacks relied on figuring out the default password that came with the device.

The researchers flagged the findings to Merkury in November, but the vulnerabilities have yet to be fixed, O’Connor says. 

Merkury is aware of the findings and said that its teams have been working on an update to patch the vulnerabilities scheduled to be released this month, spokesperson Sol Hedaya wrote in an email. Two of the models flagged by researchers “are discontinued product that sold very small quantity and which represent less than 0.1% of our active devices,” Hedaya added. 

“We regularly update the security of our app and devices,” Hedaya said. “I would stress that we have no known exploits of any of these vulnerabilities.”

Users shopping for a smart doorbell online would probably be unaware of the issues.

It’s not clear how many devices the updates would effect, but the models flagged by the researchers have accrued thousands of positive reviews across popular online retailers including Home Depot, Best Buy, Walmart and Amazon. 

“We require all vendors to follow applicable laws, regulations, and industry standards and will work directly with the vendor to look into these concerns, Christina Cornell, a spokeswoman with Home Depot, told The Washington Post. 

Best Buy and Walmart did not return a request for comment. Amazon did not provide a comment by deadline. (Amazon CEO Jeff Bezos owns The Washington Post.)

Vulnerabilities have shown up in Internet-connected home devices time and time again.

A student from O’Connor’s lab in the…