According to a Consumer Reports investigation, many Internet-connected doorbell cameras have a security flaw that allows hackers to take over the camera by simply holding down a button, among other issues.
On Thursday, nonprofit Consumer Reports published research detailing four security and privacy flaws on cameras made by EKEN, a company based in Shenzhen, China, which makes cameras under the EKEN brand, but also, apparently, Tuck and other brands.
These relatively inexpensive doorbell cameras were available at online marketplaces such as Walmart and Temu, which removed them from sale after Consumer Reports contacted the companies to highlight the problems. These doorbell cameras are, however, still available elsewhere.
According to Consumer Reports, the most dangerous issue is that if someone is in close proximity to an EKEN doorbell camera, they can take “total control” of it by simply downloading its official app – called Aiwit – and setting the camera to pairing mode by simply holding down the bell button for eight seconds. Aiwit’s app has more than one million downloads on Google Play, which indicates that it is widely used.
At that point, the malicious user can create their own account on the app and scan the app-generated QR code by holding it in front of the doorbell’s camera. This process allows the malicious user to add the doorbell to their own account, allowing the malicious user to “gain control of a device originally associated with the homeowner’s user account,” according to Consumer Reports.
A mitigating factor is that once this process is complete, the camera owner receives an email alerting them that “the Aiwit device has changed ownership,” according to tests conducted by Consumer Reports.
The other issues highlighted by the non-profit organization are that the doorbells broadcast owners’ IP addresses over the Internet, broadcast still images recorded by the cameras, which can be intercepted and viewed by anyone without the need for a password, and broadcast the unencrypted name of the local Wi-Fi network to which the doorbell connects over the Internet.
Consumer Reports says EKEN did not respond to its emails reporting these issues. EKEN also did not respond to a request for comment from TechCrunch.
Despite these flaws and Consumer Reports warning online shoppers about them, the doorbells remain available for sale at Amazon, Sears and Shein.
Representatives for Amazon, Sears and Shein did not respond to TechCrunch’s request for comment.
Temu, which sold the doorbells, said that after the company received notices from Consumer Reports on Feb. 5, it “took immediate action, suspending the sale of the recognized models of doorbell cameras from the Tuck and Eken brands. We have initiated a thorough review of these products to ensure compliance with FCC regulations and other relevant standards.”
“Following additional information received on February 28 about security vulnerabilities related to products using the Aiwit app and manufactured by Eken Group Ltd, we took immediate action and removed all relevant products from our platform,” the spokeswoman said Temu, Tori Schubert in an email.
Walmart spokesman John Forrest told TechCrunch in an email that the retail giant has removed the EKEN and Tuck doorbells from sale. However, Consumer Reports claimed that there are similar doorbells, possibly white labels of EKEN doorbells, still available at Walmart.
After TechCrunch shared with Walmart five listings flagged by Consumer Reports, Forrest said the company pulled three of the five, with two already removed.
This research shows that – once again – consumers have no way of knowing whether smart devices connected to the internet have the right privacy and security measures in place. And, that online marketplaces can’t be trusted to scrutinize what they’re selling until someone from the outside, like Consumer Reports in this case, points out that the products are unsafe.
