Popular video doorbells can be easily hijacked, researchers find
Several internet-connected doorbell cameras have a security flaw that allows hackers to take over the camera by just holding down a button, among other issues, according to research by Consumer Reports.
On Thursday, the nonprofit Consumer Reports published research that detailed four security and privacy flaws in cameras made by EKEN, a company based in Shenzhen, China, which makes cameras branded as EKEN, but also, apparently, Tuck and other brands.
These relatively cheap doorbell cameras were available on online marketplaces like Walmart and Temu, which removed them from sale after Consumer Reports reached out to the companies to flag the problems. These doorbell cameras are, however, still available elsewhere.
According to Consumer Reports, the most impactful issue is that if someone is in close proximity to an EKEN doorbell camera, they can take “full control” of it by simply downloading its official app — called Aiwit — and putting the camera in pairing mode by simply holding down the doorbell's button for eight seconds. Aiwit's app has more than a million downloads on Google Play, suggesting it is widely used.
At that point, the malicious user can create their own account on the app, and scan the QR code generated by the app by putting it in front of the doorbell’s camera. This process lets the malicious user add the doorbell to their own account, allowing the malicious user to “gain control over a device that was originally associated with the homeowner’s user account,” according to Consumer Reports.
One mitigating factor is that, once this process is over, the owner of the camera gets an email alerting them that their “Aiwit device has changed ownership,” per the tests Consumer Reports conducted.
The other issues highlighted by the nonprofit organization are that the doorbells broadcast the owners’ IP addresses over the internet, they broadcast still images captured by the cameras, which can be intercepted and seen by anyone without needing a password, and they broadcast the unencrypted name of the local Wi-Fi network that the doorbell connects to over the internet.
Consumer Reports says EKEN did not respond to their emails reporting these issues. EKEN also did not respond to a request for comment from TechCrunch.
Despite these flaws and Consumer Reports warning online marketplaces about them, the doorbells remain available for sale on Amazon, Sears and Shein.
Spokespeople for Amazon, Sears and Shein did not respond to TechCrunch’s request for comment.
Temu, which used to sell the doorbells, said that after the company received alerts from Consumer Reports on February 5, it “took immediate action, suspending the sale of the identified doorbell camera models from the brands Tuck and Eken. We began a thorough review of these products to ensure their compliance with FCC regulations and other relevant standards.”
“Following the additional information received on February 28th regarding security vulnerabilities associated with products using the Aiwit app and manufactured by Eken Group Ltd, we took swift action and removed all related products from our platform,” Temu spokesperson Tori Schubert said in an email.
Walmart’s spokesperson John Forrest told TechCrunch in an email that the retail giant removed the EKEN and Tuck doorbells from sale. But Consumer Reports claimed there are similar doorbells, likely whitelabels of EKEN doorbells, still available on Walmart.
After TechCrunch shared with Walmart five listings flagged by Consumer Reports, Forrest said the company took down three of the five, while two had already been removed.
This research shows that — once again — consumers have no way to know whether internet-connected smart devices online have the appropriate privacy and security measures in place. And, that online marketplaces cannot be trusted to vet what they sell, until someone from the outside, like Consumer Reports in this case, points out that the products are not safe.