Consumer Reports warns that certain video doorbells might compromise your privacy, allowing unauthorized access to your home surveillance. The issue centers around doorbells sold by a Chinese company called Eken, marketed under various brands including Aiwit, Andoe, Eken, Fishbot, Gemee, Luckwolf, Rakeblue, and Tuck. These doorbells are widely available on platforms like Amazon, Temu, Shein, Sears, and Walmart.
These doorbells have lax security measures, making it easy for anyone to hijack the device and gain access to the images it captures. Even if you regain control of the doorbell, the unauthorized access could persist.
One concerning aspect is that the doorbells expose your public-facing IP address and Wi-Fi network details, potentially compromising your network security. Additionally, the captured images are accessible on web servers without requiring any login credentials, posing a significant privacy risk.
Consumer Reports found that a colleague’s face captured by an Eken camera could be accessed from across the country simply by knowing the right URL. Moreover, obtaining the serial number of the camera is enough for a bad actor to gain control, which they can do by holding down the doorbell button for eight seconds and re-pairing the camera with their account.
Once a bad actor has control, they can share the serial number, enabling others to access the camera feed. Consumer Reports has not seen evidence of this exploit being used in the wild but emphasizes the severity of the vulnerability.
Despite the risks, some retailers continue to sell these doorbells, with only a few taking action after being alerted. Temu has halted sales of some models, but others, including Amazon, Shein, and others, still offer them for sale.
Consumer Reports urges consumers to be cautious when purchasing video doorbells and to consider the security implications before making a purchase. While these vulnerabilities have not been widely exploited, they underscore the importance of robust security measures in smart home devices.
