Security flaw discovered in smart doorbells puts millions of users at risk of cyberattacks

The market for smart doorbells with integrated cameras is growing with many brands, devices, versions and retailers, making it difficult for buyers to find safe and reliable products.

In particular, according to Consumer Reports, these devices lack basic access controls on network traffic, which allows strangers to freely access users' private videos.

Findings from Consumer Reports?

Dangerous security vulnerabilities have been found in smart doorbells with built-in cameras, potentially allowing attackers to gain unauthorized access to video footage, control doorbell functions, or even steal personal information, according to an investigation by Consumer Reports.

It all started when a Consumer Reports journalist received an email containing images of himself waving at a doorbell camera. The images were actually sent by Steve Blair, a Consumer Reports security and privacy testing engineer, after successfully hacking into the doorbell from 2,923 miles away.

Blair and fellow test engineer Della Rocca dug deeper and discovered security vulnerabilities in cheap, insecure electronics from Chinese manufacturers sold on e-commerce platforms like Amazon, Walmart, Sears, and Shein.

These doorbells do not have a unique identification number (ID) assigned to each electronic device by the Federal Communications Commission (FCC), making them illegal to distribute in the U.S. The FCC uses the ID to track devices sold in the U.S. market and ensure they meet safety and security standards.

The lack of an FCC ID on smart doorbells is a serious issue because it means these devices may not meet safety and security standards. This could put users at risk of cyberattacks or having their personal information stolen.

Researchers discovered security issues in at least 10 smart doorbells with integrated cameras sold under the Chinese brands Eken and Tuck, and all analyzed doorbells were controlled via the Eken-owned Aiwit mobile app. In addition, two products from other Chinese brands, Fishbot and Rakeblue, also contained similar security vulnerabilities.

Eken and Tuck are smart doorbell brands that have seen strong sales, with many listing on Amazon, generating over 4,200 sales in January 2024 alone. These doorbells are also available on Walmart.com, sears.com, and global marketplaces Shein and Temu under different names like Andoe, Gemee, and Luckwolf.

Thousands of these smart doorbells are sold every month on Amazon and other e-commerce platforms, including Walmart, Sears, and popular global e-commerce sites like Shein and Temu. Security experts say they are just a drop in the bucket of cheap, insecure electronics from Chinese manufacturers being sold in various markets around the world.

Potential dangers

Anyone with physical access to the doorbell can take control of the device without any specialized tools or advanced hacking skills. They just need to download the app and pair the device with their phone to view the camera's video feed indefinitely.

An intruder could hijack a doorbell to monitor the activities of family members, revealing IP addresses and unencrypted Wi-Fi network names. Poor security on video hosting company servers could add to the threat.

Eken’s Aiwit smartphone app can pair the doorbell with WiFi access points, allowing anyone to access the video feed without a password or account. An intruder can determine the device’s serial number and access still images from the video feed even if the original owner regains control of the device.

Justin Brookman, director of technology policy at Consumer Reports, said that e-commerce platforms, especially big names like Amazon, should be held accountable for the harm caused by their products. Eken, Tuck, Amazon, Walmart, Sears, Shein, Temu, and the FCC were also notified by Consumer Reports about these issues.

After being notified by Consumer Reports, Chinese e-commerce platform Temu has removed all doorbell devices using the Aiwit app and manufactured by Eken from its website. In addition, Walmart said that items that do not meet safety, reliability, and regulatory standards will be removed and blocked from the e-commerce platform. Meanwhile, other e-commerce platforms such as Amazon, Sears, and Shein have not yet officially responded to the above issue.

How to secure your doorbell camera?

If you own one of these doorbells, Consumer Reports recommends disconnecting it from your home Wi-Fi and removing it from your door. Consumer Reports has rated smart doorbells with much better security from brands including Logitech, SimpliSafe, and Ring.

While 100% security is extremely difficult to achieve, here are some steps you can take to ensure your doorbell is protected from hackers and third-party espionage:

Choose a reputable brand

Avoid using cheap or unbranded smart doorbells, especially those from unfamiliar manufacturers.

Look for devices from well-known brands that have a history of prioritizing security.

Check security features

Make sure your doorbell uses strong encryption to transmit and store video.

Look for features like two-factor authentication (2FA) for logins and activity alerts.

Secure your Wi-Fi network

Use a strong password for your Wi-Fi network and enable encryption (WPA2 or WPA3).

Consider creating a separate guest network for devices like doorbells, completely separate from the main network that holds your sensitive data.

Manage application permissions

Only grant the doorbell app the minimum permissions it needs, such as access to the camera and microphone.

Avoid apps from unknown developers and use official apps from the manufacturer.

Always keep your firmware up to date

Regularly update your doorbell firmware to ensure you have the latest security patches and bug fixes.

Turn on automatic updates if available to stay protected.

Activity monitoring

Keep an eye on who has access to your doorbell and monitor activity logs.

Look for any suspicious login attempts or unusual activity.

Review privacy settings

Adjust your doorbell's privacy settings to control which areas are recorded and how long the footage is stored.

Turn off features you don't need, like motion detection in public areas.

Look for the product identification number displayed on your doorbell. Devices without this identification number may be illegal and lack proper security measures.

Make sure your doorbell is physically secure and cannot be easily tampered with.