Advertisement

Popular video doorbells can be easily hijacked, researchers find

Image Credits: Amazon

Several internet-connected doorbell cameras have a security flaw that allows hackers to take over the camera by just holding down a button, among other issues, according to research by Consumer Reports.

On Thursday, the nonprofit Consumer Reports published research that detailed four security and privacy flaws in cameras made by EKEN, a company based in Shenzhen, China, which makes cameras branded as EKEN, but also, apparently, Tuck and other brands.

These relatively cheap doorbell cameras were available on online marketplaces like Walmart and Temu, which removed them from sale after Consumer Reports reached out to the companies to flag the problems. These doorbell cameras are, however, still available elsewhere.

According to Consumer Reports, the most impactful issue is that if someone is in close proximity to an EKEN doorbell camera, they can take “full control” of it by simply downloading its official app — called Aiwit — and putting the camera in pairing mode by simply holding down the doorbell's button for eight seconds. Aiwit's app has more than a million downloads on Google Play, suggesting it is widely used.

ADVERTISEMENT

At that point, the malicious user can create their own account on the app, and scan the QR code generated by the app by putting it in front of the doorbell’s camera. This process lets the malicious user add the doorbell to their own account, allowing the malicious user to “gain control over a device that was originally associated with the homeowner’s user account,” according to Consumer Reports.

One mitigating factor is that, once this process is over, the owner of the camera gets an email alerting them that their “Aiwit device has changed ownership,” per the tests Consumer Reports conducted.

The other issues highlighted by the nonprofit organization are that the doorbells broadcast the owners’ IP addresses over the internet, they broadcast still images captured by the cameras, which can be intercepted and seen by anyone without needing a password, and they broadcast the unencrypted name of the local Wi-Fi network that the doorbell connects to over the internet.

Consumer Reports says EKEN did not respond to their emails reporting these issues. EKEN also did not respond to a request for comment from TechCrunch.