Consumer Reports finds dangerous security vulnerabilities in cheap doorbell cameras

Alfonso Maruccia

Posts: 1,014   +301
Facepalm: Consumer Reports delivers investigative reports and tests mass-manufactured products, providing advice and documentation on how consumers can protect their rights. The latest CR report focuses on doorbell cameras, and the findings couldn't be worse.

Consumer Reports investigated inexpensive doorbell cameras, revealing that they are plagued by "terrible" security practices and are essentially all produced by the same Chinese company. These devices are being sold on digital marketplaces such as Amazon, Walmart, Temu, and others, and they have proven to be a highly popular product category.

CR examined video doorbells made by Eken and Tuck, discovering that they appear to be the same product sold under different brand names. These two "smart" cameras, along with "at least" 10 more identical video doorbells, are manufactured by the Shenzhen-based company Eken Group, and they can be controlled by a common mobile app (Aiwit), which was also developed by Eken.

The consumer organization found a significant number of security vulnerabilities with the doorbells. Major flaws include the unencrypted exposure of a user's home IP address and Wi-Fi network name (SSID) over the internet, the ability for malicious actors to take over the devices by downloading the Aiwit app and entering pairing mode, and unauthenticated remote access to still images and video feeds of private dwellings.

The insecure cameras also lack a proper registration code, which, according to FCC regulations, must be visible on this class of products. Despite being considered second-rate products in the video doorbell market, Eken cameras are "relatively strong sellers" on online marketplaces. CR states that multiple listings on Amazon generated more than 4,200 sales in January 2024 alone.

CR's director of tech policy, Justin Brookman, highlighted how both manufacturers and retail platforms are responsible for products that can harm consumers. Major ecommerce platforms need to do a better job of "vetting sellers and products" sold through their channels, Brookman said, and it has now become clear that new rules are required for holding online retailers accountable.

CR asked Eken Group some questions about its video doorbells, but the company didn't provide any reply. The organization also reached out to online retailers, sharing the security vulnerabilities it found in the devices. Temu said that all the doorbells using the Aiwit platform were removed from its website, while Walmart only promised to do so. Amazon, Sears, and other retailers didn't provide any answers.

Permalink to story.

When you buy something very cheap, and expect it to be smart, it'll be as smart as you are, one neuron short of a genius.
Temu is currently selling home security cameras which also uses Aiwit software - I wonder if they have the same flaws.
When you buy something very cheap, and expect it to be smart, it'll be as smart as you are, one neuron short of a genius.

That does not always make sense. Some of these cams require you to create a different SSID for 2.4ghz wifi to be able to use the devices... and many people don't know how to do that and return the cameras... and eventually they sit with stock that can only get rid of by selling it for cheap. As long as they are honest about why its a flopped product, you can make the choice if you are willing to buy a lower quality product.
That's the problem when there is no standard. I bought my first ip cameras well over 13 years ago and over many years I've discovered endless brand of cameras that came with their own app. I remember about 10 years ago my old ipcam "server" were becoming unusable I decided to use my laptop as a "server" and just run teamviewer if I want to check live feeds of the cameras. I mean 10 years ago we still have windows phone and blackberry os aside from ios and android. teamviewer were one of the apps that were supported in all those phones.

right now we have literally endless choices of ip cameras in the market, and the cheaper ones tend to be quickly "abandoned" by the manufacturers. you can have it running now but there's no guarantee it will work in the next 5 years or it will be supported by a mobile OS 5 years from now.

if and when aiwit decided to shutdown their servers, millions of those cheap devices will instantly become e-waste.
Should change the current picture to a dumb doorbell since it too would have nothing to do with the current article.
These are not "terrible security practices". This is being done on purpose so that the Chinese can take advantage of people around the world. The Chinese are doing this on purpose so these cameras can be used in future malware and other blackhat activities. This is not an accident.
Nothing new here. Move along.

No surprises, either. Security for any IoT device has been known to be non-existent for years. The only thing new is that Consumer Reports is bringing this to the forefront since IoT manufacturers have done next to nothing over the years to correct these dismal "security" issues.
To be honest, it is not about the price because the same can happen to more expensive wares. When you have a device that is constantly connected to the web, there is always going to have vulnerabilities. If you recall that Anker ran into security issues as well. And there were other examples like this.