Some Internet-connected doorbell cameras have security flaws that allow hackers to take control of them with the simple press of a button, among other problems, according to a Consumer Reports investigation.
On Thursday, the nonprofit Consumer Reports released a study that detailed four security and privacy flaws in cameras made by Shenzhen, China-based EKEN. The company makes cameras under the EKEN brand, but apparently also makes cameras under Tuck and other brands.
These relatively inexpensive doorbell cameras were available on online marketplaces like Walmart and Tem, but were discontinued after Consumer Reports contacted the companies to report the issue. However, these doorbell cameras are still available elsewhere.
According to Consumer Reports, the most impactful issue is that when someone approaches an EKEN doorbell camera, they can simply download the official app called Aiwit and put the camera into pairing mode, giving them “full control” over the doorbell camera. It's possible. All he has to do is press and hold the doorbell button for 8 seconds. Aiwit's app has been downloaded more than 1 million times on Google Play, which shows that it is widely used.
At that point, a malicious user can create their own account on the app and scan the QR code generated by the app by holding it in front of the doorbell's camera. According to Consumer Reports, this process allows a malicious user to add a doorbell to their account, allowing the malicious user to “take control of devices that were originally associated with the homeowner's user account. “It will become like that.”
According to testing conducted by Consumer Reports, one mitigating factor is that once this process is finished, the camera owner will receive a warning email saying, “Ownership of your Aiwit device has changed.”
Other issues highlighted by the non-profit organization include doorbells broadcasting the owner's IP address over the Internet, as well as still images taken by the camera, allowing anyone to access the app without the need for a password. But you can also intercept and see the unencrypted name of the local Wi-Fi network that your doorbell connects to over the Internet.
According to Consumer Reports, EKEN did not respond to emails reporting these issues. EKEN did not respond to TechCrunch's request for comment.
Despite these flaws and Consumer Reports' warnings about online markets, doorbells continue to be sold on Amazon, Sears, and Shein.
Spokespeople for Amazon, Sears, and Shein did not respond to TechCrunch's requests for comment.
After the company received a warning from Consumer Reports on February 5, Tem Inc., which sells doorbells, “took immediate action and stopped selling identified doorbell camera models branded Tuck and Eken.'' There was a pause,” he said. We have initiated a thorough review of these products to ensure they comply with FCC regulations and other relevant standards. ”
Temu spokesperson Tori Schubert said in an email: “Following the receipt on February 28 of additional information regarding security vulnerabilities related to products manufactured by Eken Group Ltd using the Aiwit app, our company We took swift action and removed all related products from our platform.”
Walmart spokesperson John Forrest told TechCrunch in an email that the retail giant has removed EKEN and Tuck doorbells from sale. However, Consumer Reports claimed that a similar doorbell, possibly the white label EKEN doorbell, is still available at Walmart.
After TechCrunch shared a list of the five reported on Consumer Reports with Walmart, Forrest said the company removed three of the five, and two have already been removed.
This research shows that consumers once again have a way to know whether their internet-connected smart devices are taking appropriate privacy and security measures online. And until someone outside, like Consumer Reports in this case, points out that a product is unsafe, online marketplaces can't be trusted to vet what they sell.