|
|
Subscribe / Log in / New account

Development quote of the week

[Posted March 17, 2021 by ris]

And by using the documented API to get a session token, I could call editcgi.cgi to read and write arbitrary files on the doorbell. Which means I can drop an extra script in /etc/rc.d/rc3.d and get a shell on my doorbell.

This all requires the ability to have local authentication credentials, so it's not a big security deal other than it allowing you to retain access to a monitoring device even after you've moved out and had your credentials revoked. I'm sure it's all fine.

Matthew Garrett
to post comments

Development quote of the week

Posted Mar 18, 2021 8:18 UTC (Thu) by NYKevin (subscriber, #129325) [Link] (7 responses)

Why is your doorbell even capable of...

No, actually, I don't really want to know. I'll probably be happier if I don't.

Development quote of the week

Posted Mar 18, 2021 8:39 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link] (4 responses)

My doorbell can call my phone (via SIP) and I can let people in by pushing a button on the phone.

Development quote of the week

Posted Mar 18, 2021 10:05 UTC (Thu) by k3ninho (subscriber, #50375) [Link] (3 responses)

>My doorbell can call my phone (via SIP) and I can let people in by pushing a button on the phone.
And nation-state actors and their friends can gain a physical presence on your home network (a side channel to game over) without breaking locks or windows, so this approach to home security isn't for me.

Matt mjg59's post does say that this was a cheap buy on eBay which was bricked by a failed update and probably not a home improvement item.

K3n.

Development quote of the week

Posted Mar 18, 2021 12:22 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link] (1 responses)

> And nation-state actors and their friends can gain a physical presence on your home network (a side channel to game over) without breaking locks or windows, so this approach to home security isn't for me.
If a nation-state would want to enter your house, a secure doorbell won't stop them. They can get in through the mechanical lock, for example.

Heck, I can pick most of door locks in a minute or so, and I'm only an amateur lockpicker. Some time ago I lost my door key and I was picking my own lock every time I needed to get in, I got it down to 8 seconds.

Development quote of the week

Posted Mar 18, 2021 17:25 UTC (Thu) by nix (subscriber, #2304) [Link]

True enough for targetted attacks -- but the risk is blanket attacks. A nation-state actor can trivially penetrate *every doorbell* of a particular model with very little more effort than is needed to penetrate one -- it's a bit harder for them to break in to every house.

Development quote of the week

Posted Mar 25, 2021 13:13 UTC (Thu) by ledow (guest, #11753) [Link]

A nation-state actor has absolutely no need to faff with your doorbell.

This is a common misunderstanding.

If a nation-state actor has interest in you / gaining access to your property, they'll do it. And they'll do it in the least technical way possible.

Don't even TRY to defend against a nation-state level attack, unless you're a nation-state yourself.

A burglar, on the other hand, can probably bump most cheap mechanical locks with a small piece of metal and a couple of hour's practice in front of YouTube.

Development quote of the week

Posted Mar 18, 2021 12:08 UTC (Thu) by excors (subscriber, #95769) [Link] (1 responses)

You might want to check who's at the door before deciding to open it. You might not be able to do that by walking up to the door and looking through the physical peephole, because it's the outer door on a block of flats and it would take you far too long to walk there, or because you have a disability that makes it hard to reach the door, or because you have an enormous house or are very lazy, etc. Connecting the doorbell and (optionally) the lock to a phone app means you can see who's there, talk to them, and let them in, without having to get up.

Connecting it to the cloud means you can do the same even if you're not at home - maybe you want to let a neighbour in to water your plants (without the hassle and risk of giving them a physical key beforehand), or a plumber to fix an emergency, or a delivery driver to leave a parcel in a safe place. Or while at home, if you find phones awkward you can use the various cloud service integrations to connect the display to your TV and control it through a voice assistant, improving accessibility.

One consequence is that any internet-connected device needs a way for the vendor to push firmware updates, so they can respond quickly to reported security vulnerabilities. Obviously you should get one that's competently designed by people who care about security, and that e.g. uses secure boot with signed firmware updates instead of an editcgi.cgi, so that even users with physical access can't write arbitrary files onto it and can't install a persistent exploit to spy on future users. Unfortunately it's hard as a customer to distinguish the few decently-designed ones from the many terrible ones.

Development quote of the week

Posted Mar 19, 2021 7:40 UTC (Fri) by smurf (subscriber, #17840) [Link]

which is why some security people are incessantly pushing for governments to legislate minimum of security requirements.


Copyright © 2021, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds