Pierluigi Paganini
March 03, 2024
Researchers from Consumer Reports (CR) discovered severe vulnerabilities in doorbell cameras manufactured by the Chinese company Eken Group Ltd. The company produces video doorbells under the brand names EKEN and Tuck, its products are by major retailers, including Amazon, Walmart, Shein, Sears and Temu.
The security flaws could allow threat actors to view footage from the devices or control them completely.
An attacker can exploit the flaws to create an account on the app and gain access to a nearby doorbell camera by pairing it with another device. Then threat actors can view footage and lock out the owner of the device.
Steve Blair, a CR privacy and security test engineer, and fellow test engineer David Della Rocca, discovered that at least 10 more seemingly identical video doorbells been sold under different brand names, are all controlled through the same mobile app, called Aiwit, which is owned by Eken.
“Thousands of these video doorbells are sold each month on Amazon and other online marketplaces, including Walmart, Sears, and the globally popular marketplaces Shein and Temu. Experts say they’re just a drop in the flood of cheap, insecure electronics from Chinese manufacturers being sold in the U.S.” reads the report published by CR.
The researchers purchased two doorbell cameras, sold under the Fishbot and Rakeblue brands, and discovered that both devices are affected by the same vulnerabilities.
The owners of these doorbell cameras facing threats from stalkers or estranged abusive partners and may be subjected to surveillance through their phones, online platforms, and interconnected smartphones.
Some of the doorbells analyzed by the researchers also lack a visible ID issued by the Federal Communications Commission (FCC), which is a mandatory requirement for the sale of these products in the U.S.
Some online marketplaces, such as Walmart, have removed the flawed products from their catalog and are offering refunds to their customers who purchased the devices.
At the time of this writing, the EKEN Smart Video Doorbell Camera Wireless devices are still available on Amazon.
“Big e-commerce platforms like Amazon need to take more responsibility for the harms generated by the products they sell,” says Justin Brookman, director of technology policy for CR. “There is more they could be doing to vet sellers and respond to complaints. Instead, it seems like they’re coasting on their reputation and saddling unknowing consumers with broken products.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, camera doorbells)
