Does your video doorbell look anything like the one in the picture? Perhaps you bought it for cheap at Amazon, Temu, Shein, Sears, or Walmart? Does it use the Aiwit app?
Consumer Reports is reporting the security on these cameras is so incredibly lax, anybody could walk up to your house, take over your doorbell, and permanently get access to the still images it captures — even if you take control back.
The cameras are sold by a Chinese company called Eken under at least ten different brands, including Aiwit, Andoe, Eken, Fishbot, Gemee, Luckwolf, Rakeblue and Tuck. Consumer Reports says online marketplaces like Amazon sell thousands of them each month. Some of them have even carried the Amazon’s Choice badge, its dubious seal of approval.
Yet Amazon didn’t even respond to Consumer Reports findings last we’d heard, much less pull the cameras off its virtual shelves. Here’s one of them on sale right now. Shopping app Temu, at least, told CR it would halt sales after hearing just how incredibly easy they are to hack.
Frankly, “hack” might be too strong a word
Not only do these cameras reportedly expose your public-facing IP address and Wi-Fi network in plaintext to anyone who can intercept your network traffic (hope you aren’t checking them on public Wi-Fi!), they reportedly broadcast snapshots of your front porch on web servers that don’t ask for any username or password.
One Consumer Reports security staffer was able to freely access images of a colleague’s face from an Eken camera on the other side of the country, just by figuring out the right URL.
Worse, all a bad actor would need to figure out those web addresses is the serial number of your camera.
Even worse, a bad actor could get that serial number simply by holding down your doorbell button for eight seconds, then re-pairing your camera with their account in the Aiwit smartphone app. And until you take control of your own camera again, they’ll get video and audio as well.
Worse still, that bad actor could then share those serial numbers with anyone else on the internet. Consumer Reports tells us that once the serial number is out in the wild, a bad actor can write a script that would just keep downloading any new images generated by the camera.
I guess you could say “Well, these cameras only face outdoors and I don’t care about that,” but Eken advertises indoor-facing cameras as well. (Consumer Reports tells us it hasn’t tested other Eken models yet.) I also really don’t want bad actors to know exactly when I leave my home.
You might say “Ah, this isn’t a big threat because a bad actor needs local access to the camera” — but that assumes they can’t figure out a way to randomly hit upon working serial numbers, or recruit porch pirates to canvas neighborhoods. At least the serial numbers seem to be randomized, not incremental, Consumer Reports tells us.
You also might say “Won’t Eken just stop hosting these images at freely accessible URLs?” That’d be good, but it apparently couldn’t be bothered to respond to Consumer Reports’ requests for comment.
Do the Aiwit servers do anything at all to prevent hackers from just randomly trying URLs until they find images from people’s cameras? If so, Consumer Reports hasn’t seen it yet.
“I have made tens of thousands of requests without any defense mechanisms triggering,” Consumer Reports’ privacy and security engineer Steve Blair tells The Verge via a spokesperson. “In fact, I was purposely noisy (hundreds of requests at once, from a single IP/source, repeated every couple of minutes) to try to determine if any defenses were present. I did not see any limitations.”
At least Consumer Reports isn’t yet suggesting this has been exploited in the wild.
We didn’t independently confirm these flaws, but we did read through the vulnerability reports that CR shared with Eken and another brand named Tuck. And it wouldn’t be the first time a “security” camera company has neglected basic security practices and misled customers.
Anker admitted its always-encrypted Eufy cameras weren’t always encrypted after my colleagues and I were able to access an unencrypted live stream from across the country, using an address that, like Eken, consisted largely of the camera’s serial number.
Meanwhile, Wyze recently let at least 13,000 customers briefly see into a stranger’s property — the second time it’s done that — by sending camera feeds to the wrong users. And that was after the company swept a different security vulnerability under the rug for three whole years.
But the Eken vulnerability might even be worse, because it sounds far easier to exploit, and because they’re white-labeled under so many different brands that it’s harder to protest or police.
Consumer Reports says that even after Temu pulled some of the worrying doorbells, it kept selling others — and that as of late February, despite its warnings to retailers, most of the products it found were still on sale.