Noah Clements discovered a vulnerability in an unused smart security device his parents had purchased four years ago. When he approached the company with the device, a legal battle ensued.
Clements decided to check his parents unused video doorbell for vulnerabilities, finding a loophole through the device’s internet use that would allow individuals to access the doorbell without authorization.
The device acted as a web server, meaning users could log into it like a website with their phone or computer. Someone hacking into the device and logging in as the owner then had the ability to lock, or unlock the door.
The doorbell is an Internet of Things (IoT) device, meaning a typically analogue object enabled to connect to the home internet server, allowing them to communicate and be accessed remotely. Such devices frequently demonstrate issues of security. Other common IoT devices include smart speakers, smart garage door openers, and smart thermostats.
Clements, now a second year Computer Science student, was familiar with this common security flaw in IoT devices, which allowed him to find the vulnerability.
He took his concerns to the company that created the device, Dbell, a small company specializing in smart video doorbells and security.
Dbell was happy to get his email showing the problem in their product and how he was able to find it. However, Clements’ request to publish his concerns and his solution sparked a legal conflict.
Clements was threatened with claims of extortion and malicious intent if he were to go to the media with his discovery.
“With smaller companies, their first thing to do is threaten. The larger companies are getting better, like Google, Microsoft, and Facebook. They’ll actually pay hundreds of thousands of dollars,” he said.
Larger companies can afford to pay out white hat hackers, who can either be hired to check for vulnerabilities or, like Clements, find it without an expected payout. Smaller companies, such as Dbell, do not have that luxury, and feared Clements expected monetary compensation for his discovery.
Clements’ case with Dbell was resolved with the aid of attorneys from Canada’s Internet Policy and Public Interest Clinic. The company dropped their threats against him.
Clements’ story caught the attention of The Security Ledger Podcast, where he was featured in the 165th episode.
“[My family] thinks it’s pretty cool, and they’re glad that I’m doing what I like. That it’s enjoyable and a good field,” he said.
This experience with Dbell inspired Clements to pursue this interest in testing the security of smart products.
“These IoT devices are pretty fun just to kind of look into but I don’t really have a lot of money to buy these devices currently,” he said.
Clements works for Bulletproof, a Fredericton based IT firm, where he works in using defensive measures for clients. In the future, he would be more interested in an attack approach, in which companies pay individuals like Clements to penetrate their systems, revealing weaknesses.
For students who are interested in vulnerability checks, Clements recommends to continue exploring IoT devices and the systems they operate within.
“Get anything into your hands and open it up to see what it looks like on the inside or see how it’s connected to the internet. How it accesses things, how it connects to different things and see if there is a way to exploit that,” he said.