Chinese hackers lurking in doorbells – a beat-up (Safety)

Chinese hackers lurking in doorbells was the sensational page three headline of Monday, January 20, in Sydney’s Daily Telegraph. It was also cannon fodder for news and breakfast TV shows. Except that it is a hoary old beat-up regurgitated in slow news weeks.

Let’s not make light of the fact that, given the right circumstances, almost any IoT (Internet of Things) device can be hacked. Things like the tsunami of cheap Chinese IoT that runs an embedded operating system that is never updated to Wi-Fi connected to talking Teddy’s and Barbie Dolls.

Made in China – is that a worry?

FACT: Almost all ‘smart’ or Wi-Fi electronic devices are made in China or use some Chinese components. Those that could ‘monitor us’ include:

  • Phones (it does not matter where they are assembled; all have a high proportion of Chinese electronics. This includes feature phones and DECT handsets.
  • TVs—almost all 4K UHD, QLED, and Mini-LED are made there. Even South Korean-based LG and Samsung use many Chinese components in their premium TVs.
  • Windows PCs/Laptops, MacBooks, Android and iOS tablets, and smart monitors, even if the brand owner is a Western company or the product is assembled outside China.
  • Smart lights and IoT, including thermostats, thermometers, smoke detectors, water detectors, printers and scanners.
  • Smart speakers, soundbars, headphones.
  • Kitchen appliances with an app.
  • Cleaning appliances like robot vacuums, window robots and pool robots with an app
  • Cars – especially EVs that have a Wi-Fi or mobile data connection for firmware updates (all)
  • Routers, mesh, switches, docks
  • Security cameras, smart doorbells, and security hubs.

Is there a kill chip inside all these?

Never say never, but I will bet the answer is no for two reasons. First, China’s economy would be destroyed if it did. Second, there are too many devices and too many circuit designs to make this feasible.

That is not to say that some Chinese devices have a spy or kill switch. These would potentially damage infrastructure like data centres and critical utilities. Remember that Huawei was banned from 5G infrastructure.

Of course, we won’t know unless China declares war on the world. Somehow, China’s 1.44 billion people against the other seven billion of us does not stack up.

What about spying?

The proven cases so far involve gaining access to the device (usually a camera or router) via an old operating system weakness or a manufacturer’s intentional back door.

The better question is, why would a device be used to spy on ‘plain old me’?

The answer is simple. Information that helps supplement your dark web profile is helpful to cybercriminals. Read: Cybercriminals hire locals to spy on you. AI now trawls the profiles and selects those ripe for the picking. It may be that:

  • Your phone or computer gives access to passwords and location.
  • Security cameras or doorbells tell thieves when you are out.
  • IoT, Routers and networks can be used for Mirai denial of service botnet – Read A deadly botnet may lurk in your old router and any IoT
  • Smart speakers may expose conversations to law enforcement or criminals.
  • And in the worst case, any electronic device could be disabled by an invading country. Imagine how crippling it would be without internet, banking, email and more.

To repeat: Joe and Jane Average are just as likely to have their network hacked by an automated bot and passwords stolen as anyone with secure information on their network.

Routers

Until recently, most routers shipped with a default Admin back door to allow you access after a hard reset. Now, the first thing they do after a reset is force you to change the Admin router password.

Older routers, say Wi-Fi 5 or earlier, often ran a generic Linux-based operating system that, in 2020, had over 600 confirmed vulnerabilities. However, as the graph shows, the responsible vendors, Netgear, D-Link, ASUS, and TP-Link, updated firmware to stop this.

The problem is that a) people generally never update firmware, b) generic router makers never issue patches, and c) admin passwords remain at the default.

The solution is simple.

  • Find out how to open the router’s internal webpage to gain access to the setup or download the router app.
  • Check the firmware update and update if possible. If it is pre-2024, then there is a risk of unpatched vulnerabilities. Set the firmware update to automatic (later model routers)
  • Change the Admin password to something unique to you.
  • Implement Multifactor authentication for login.
  • It is wise to subscribe to anti-malware and intrusion protection software backed by Trend Micro or similar if the device has it, as this provides router-level protection to all connected devices.
  • If you don’t have one of the well-known brands, it is time to get a new Wi-Fi 6, 6E or 7 router.

Security Cameras and doorbells

Reputable manufacturers include Arlo, Eufy, Swann, Uniden, TP-Link Tapo, Google, Nest, Ring, and Uniden. Each of these has a track record of providing firmware updates. At last count, there were over 3000 generic Chinese brands on marketplaces, including eBay, Amazon, Kogan/Dick Smith/Mighty Ape/Matt Blatt, AliExpress and other best deals sites. Let’s not even consider Temu or Shien, which provide shoddy goods at low prices and sell your data.

The same goes for security cameras, doorbells, and baby monitors. Use the app and check that the firmware is current (or at least 2024). If not, it is time to move these on, as they have more vulnerabilities than routers!

And change user access and Admin passwords to longer and more complex ones.

Phones

Reputable manufacturers include Apple, Samsung, OPPO, Motorola, and Nokia (2024 or earlier). We don’t want to cast aspersions on brands like TCL, Nothing, O2, Xiaomi, etc. Still, it is vital that these have Australian certification (R-NZ C-Tick in Settings, About, Regulatory Information). If you bought grey-market, then you won’t have the Australian patches. Don’t accept that the CE mark is for Australia – it’s a very low-level tag.

Only in the last couple of years have manufacturers taken security threats seriously and increased the number of OS upgrades and security patch policies. Yet an astonishing number of smartphone users have never performed an update.

Android 12 or later phones have a nag screen notification and usually an auto-update, so make sure these are enabled. Open your settings and search for Update to find the date of the last update. If it is not mid-to-late 2024, then it is time to get a new phone.

Computers and smart monitors

These usually fall into the Windows, MacOS, Android, and iOS camps and Microsoft and Apple are diligent in releasing OS updates and closing vulnerabilities.

However, hardware manufacturers have a highly chequered history of releasing bios and firmware updates to fix hardware security. Some also installed remote access and monitoring software to enable remote support, which is a considerable risk.

Scammers also prey on people’s ignorance and try the remote support scam, claiming to be from Microsoft, Apple, Telstra and more.

Smart monitors now run LG WebOS, Samsung Tizen or a Linux OS, and it is vital these internet-connected devices have security patches. The same goes for TVs.

The key to protecting your computing is installing a paid antivirus/malware product like Trend Micro.

Any other device connected to the home Wi-Fi network

IoT has minimal computing power, so at best, it can phone home telemetrics about what it is monitoring. At worst, it can become part of a DDOS botnet and infect other home network devices.

In all my many years, I have seen so few firmware updates for IoT that it must be of little interest to hackers and State players.

But that brings us to the root of the problem—the home network—and a new problem: A bloody I.

Without getting too techy, set up a 2.4GHz IoT-only network using a different VLAN IP address range (like the guest network) from your home network. This prevents IoT from infecting devices on the main network. Later model routers can do this, and we highly recommend these.

This article lists some open-source IDS/IPS software like Snort that is popular If you are techy.

‘A bloody I’ is a huge potential issue. There are thousands of vulnerabilities in Wi-Fi-connected devices, and AI is working on how best to exploit them. The low-hanging fruit is anything old without OS, firmware or security updates in the past year. There is little defence against AI.

What can you do?

A new Router with on-device protection is the best option

The router is the logical place to have an IDS (Intrusion Detection System) and IPS (Intrusion protection system). These are premium, with enough power to run the software protection on the router or mesh.

Netgear has an Armor network protection system powered by Bitdefender. It runs on the router and has software network protection for on and off networks. Bitdefender security blocks viruses, spyware, ransomware, malicious links, Internet scams, unlimited network-connected devices, VPN, and more. It works on Night Hawk and Orbi mesh Wi-Fi 6, 6E and 7.

TP-Link has HomeShield powered by German security company Avira (owned by Norton). It runs on the router and provides similar levels of software coverage to Armor with optional parental controls, Time Limits, KidShield, and QoS. It covers all connected devices both on and off the network. Works on most Wi-Fi 6E AX and Wi-Fi 7 BE Deco mesh and Archer routers. At present, you cannot buy Avira’s offering outside of TP-Link.

D-Link does not align itself with any but works equally well with Trend Micro, ESET, McAfee, Norton, and other premium paid solutions that run on the devices. D-Link will soon introduce Wi-Fi 7 devices.

ASUS runs Trend Micro’s AiProtection Pro or AiProtection Classic, which does much the same as Netgear and TP-Link and is for most of its Wi-Fi 6, 6E and 7 routers and mesh. At present, you cannot buy Trend’s offering outside of ASUS.

In 2025, all major security companies will likely release software for home network security running on a separate computer.

CyberShack’s View: Chinese hackers lurking in doorbells – perhaps but unlikely

Back to the Daily Tele beat-up article. It was a camera made by Dahua, one of the Chinese spycams banned at last from Government facilities in late 2022. It is old ‘the sky is falling’ news dragged out to fill a slow week. The old motto is ‘Never let the facts spoil a good story’. Shame on the Telegraph and media for not investigating it.

Stir in a good dose of FUD (fear, uncertainty and deception) by inferring that ‘Chinese-made devices, including doorbells, spy on Aussies’ and some will panic. However, most won’t do anything.

We have sage advice.

  • Check your Wi-Fi router for updates. If necessary, pay a geek to do it. If it is not reasonably up to date, consider a new one with essential on-device protection.
  • Check all IoT devices via their apps for firmware updates. If you did not see any from mid-2024, consider buying new devices.
  • Put all IoT on a VLAN (virtual LAN) that is different from your computer and phone LAN. If there is an issue, it won’t infect them. Ditto for paying for a geek.
  • Replace with reputable brands certified for use in Australia and sold by well-known retailers.

And ignore obvious sensational geopolitical stories.

Brought to you by CyberShack.com.au