Security Concerns Plague Popular Video Doorbells

Recent investigations by security researchers at Consumer Reports have unveiled significant security vulnerabilities in popular video doorbell cameras, specifically those manufactured by EKEN and sold under various brands, including Tuck, Aiwit, Fishbot, and Gemee. The findings, spearheaded by Consumer Reports, highlight a disturbing ease with which these internet-connected devices can be compromised, posing severe risks to consumer privacy and home security.

Egregious Security Failures

The primary vulnerability identified involves the ability for an unauthorized individual to gain full control over an EKEN doorbell camera by exploiting the device's pairing process. By merely pressing the doorbell button for a prolonged period, an intruder can initiate the camera's pairing mode. They can then use the Aiwit app, associated with over a million downloads, to link the device to a new account, effectively severing the connection to the original owner. This breach allows unauthorized users not only to view live feed from the camera but also to control its functions and determine it’s serial number.

While the owner can easily rectify this loss of control by simply re-pairing the doorbell again, the attacker can use the retrieved serial number to continue to access still images from any motion events that are captured. No password, no encryption, and not even an account with the doorbell maker is required to do this, which can continue indefinitely without the owner’s knowledge or any ability to cut it off. This serial number or the still images can then, of course, be shared far and wide for anyone to see.

Compounding the issue, these devices also jeopardize user privacy by broadcasting sensitive data, such as the homeowner's IP address and the Wi-Fi network name, unencrypted to anyone within range. This lack of security can lead to broader network access, further exposing individuals to cyber threats and invasions of privacy. The dissemination of still images captured by the cameras, accessible without secure authentication, adds another layer of vulnerability, providing potential intruders with visual information about the homeowner's premises and routines.

Churn and Burn

I’ve often said how uncomfortable I am with recommending these low-cost brands to anyone. These products, also known as ‘white box’ products, are mass produced and sold in bulk to anyone who wants to quickly put out product in that segment. A quick rebrand, and they’re up for sale on online marketplaces all over the world.

This practice is what I call ‘churn and burn’: crank out a new product at a bargain price, sell a load of them, then move on to the next thing. We see these all the time on Amazon and similar marketplaces, a bunch of cheap product options with weird brand names that all look eerily similar.

Creating a minimum viable working product at the lowest cost is the key, so you get no real support, no warranty, and - most significantly - zero investment in security. Security needs to be built in by design for it to be effective. It requires time and expensive expert resources that these device makers simply don’t want to pay for. The plan to be long gone by the time their customers have any issues, so why bother. This kind of investment is only important to actual long-term brands that care about their reputation in the market.

Is Eken doing anything about this?

Despite Consumer Reports’ efforts to highlight these critical flaws, major online marketplaces, including Amazon, Sears, and Shein, have been slow to react, with the products remaining readily available for purchase. This ongoing availability raises questions about the commitment of these platforms to consumer safety and the effectiveness of their vetting processes for smart home devices. Conversely, the online retailer Temu demonstrated a proactive stance by immediately suspending sales and conducting a review of the implicated products sold by Eken themselves. Very similar models under other brand names remained for sale, however, so this may be a token response.

The maker of these doorbells, Chinese company EKEN, didn’t respond to Consumer Reports’ questions about these issues.

This incident underscores a broader challenge within the realm of internet-connected devices: the need for robust privacy and security standards. As consumers increasingly integrate smart technology into their homes, the responsibility falls on manufacturers and retailers to ensure these devices are secure from exploitation. The EKEN doorbell camera case serves as a stark reminder of the potential consequences of neglecting this duty.

What Can Consumers Do?

In light of these developments, consumers are advised to exercise increased caution when selecting and installing smart home devices. Determining how secure a connected consumer device is can be virtually impossible for most people, but this is especially important when it comes to camera-based devices like video doorbells.

The best advice I can give is to stay with proven brands and avoid these white-box random-bunch-of-letters brands. Proven brands not only have skin in the game, their commercial reputation is at stake, but they also tend to attract far more scrutiny from security researchers and the tech press and may well have bug bounty programs in place to incentivize the finding of vulnerabilities so they can be fixed before someone exploits them.

If you have one of these products already and you’re inside your return window, make use of it ASAP. Otherwise, I’m afraid all you can do is throw it away. The privacy and security risks are so severe and irreparable that they cannot continue to be used, and there’s zero chance these brands are going to fix the problem or provide any relief.