According to research conducted by non-profit organization Consumer Reports, several internet-connected doorbell cameras have a major security flaw. The flaw allows hackers to gain control of the camera with just the push of a button. The affected cameras are manufactured by EKEN, a company based in Shenzhen, China, but also branded as Tuck and other brands.
Upon publication of their research, Consumer Reports revealed four security and privacy issues with the EKEN cameras. These cameras, which are relatively inexpensive, were previously available for purchase on online marketplaces such as Walmart and Temu. However, following Consumer Report’s alert, these marketplaces removed the cameras from sale. Despite this, the cameras can still be found for sale elsewhere.
The most concerning problem highlighted by Consumer Reports is the ability for someone in close proximity to an EKEN doorbell camera to gain “full control” of it. This can be done simply by downloading the official app, Aiwit, and pressing the doorbell’s button for eight seconds to enter pairing mode. The app has over a million downloads on Google Play, indicating widespread use.
At that point, the malicious user can create their own account on the app, scan the QR code generated by the app by putting it in front of the doorbell’s camera. This lets the malicious user add the doorbell to their own account, giving them control over a device that was originally associated with the homeowner’s user account.
Although the owner of the camera will receive an email alerting them of ownership changes, the potential for harm is still high.
Consumer Reports also discovered additional concerns with the EKEN doorbells. The cameras broadcast the owner’s IP address, allowing anyone to view still images captured by the camera without needing a password. The doorbells also broadcast the unencrypted name of the local Wi-Fi network they are connected to, increasing the risk of unauthorized access.
Despite being made aware of these vulnerabilities, EKEN did not respond to Consumer Reports or TechCrunch’s request for comment.
While Consumer Reports alerted online marketplaces about these issues, some of them continue to sell the doorbells. This includes Amazon, Sears, and Shein, whose spokespeople did not respond to inquiries from TechCrunch regarding the matter.
Temu, a former seller of the doorbells, took immediate action after receiving alerts from Consumer Reports and suspended the sale of the identified models. However, Consumer Reports has found similar doorbells, likely whitelabels of EKEN, still available for purchase on Walmart’s website.
Following TechCrunch’s notification, Walmart removed three of the five flagged listings. This highlights the growing concern that consumers cannot trust online marketplaces to properly vet and regulate the safety and security of products they sell.
Once again, this research serves as a reminder that consumers have no way of knowing if internet-connected devices have appropriate privacy and security measures in place, and that it is essential for outside organizations like Consumer Reports to bring attention to these issues.
