Popular video doorbells can be easily hijacked, researchers find

Date:

Share post:


Several internet-connected doorbell cameras have a security flaw that allows hackers to take over the camera by just holding down a button, among other issues, according to research by Consumer Reports.

On Thursday, the non-profit Consumer Reports published research that detailed four security and privacy flaws in cameras made by EKEN, a company based in Shenzhen, China, which makes cameras branded as EKEN, but also, apparently, Tuck and other brands.

These relatively cheap doorbell cameras were available on online marketplaces like Walmart and Temu, which removed them from sale after Consumer Reports reached out to the companies to flag the problems. These doorbell cameras are, however, still available elsewhere.

According to Consumer Reports, the most impactful issue is that if someone is in close proximity to a EKEN doorbell camera, they can take “full control” of it by simply downloading its official app — called Aiwit — and putting the camera in pairing mode by simply holding down the doorbell’s button for eight seconds. Aiwit’s app has more than a million downloads on Google Play, suggesting it is widely used.

At that point, the malicious user can create their own account on the app, scan the QR code generated by the app by putting it in front of the doorbell’s camera. This process lets the malicious user add the doorbell to their own account, allowing the malicious user to “gain control over a device that was originally associated with the homeowner’s user account,” according to Consumer Reports.

One mitigating factor is that, once this process is over, the owner of the camera gets an email alerting them that their “Aiwit device has changed ownership,” per the tests Consumer Reports conducted.

The other issues highlighted by the non-profit organization are that the doorbells broadcast the owners’ IP addresses over the internet, they also broadcast still images captured by the cameras which can be intercepted and seen by anyone without needing a password, and also broadcast the unencrypted name of the local Wi-Fi network that the doorbell connects to over the internet.

Consumer Reports says EKEN did not respond to their emails reporting these issues. EKEN also did not respond to a request for comment from TechCrunch.

Despite these flaws and Consumer Reports warning online marketplaces about them, the doorbells remain available for sale on Amazon, Sears, and Shein.

Spokespeople for Amazon, Sears and Shein did not respond to TechCrunch’s request for comment.

Temu, which used to sell the doorbells, said that after the company received alerts from Consumer Reports on February 5, it “took immediate action, suspending the sale of the identified doorbell camera models from the brands Tuck and Eken. We began a thorough review of these products to ensure their compliance with FCC regulations and other relevant standards.”

“Following the additional information received on February 28th regarding security vulnerabilities associated with products using the Aiwit app and manufactured by Eken Group Ltd, we took swift action and removed all related products from our platform,” Temu spokesperson Tori Schubert said in an email.

Walmart’s spokesperson John Forrest told TechCrunch in an email that the retail giant removed the EKEN and Tuck doorbells from sale. But Consumer Reports claimed there are similar doorbells, likely whitelabels of EKEN doorbells, still available on Walmart.

After TechCrunch shared five listings flagged by Consumer Reports with Walmart, Forrest said the company took down three of the five, while two had already been removed.

This research shows that — once again — consumers have now way to know whether internet-connected smart devices online have the appropriate privacy and security measures in place. And, that online marketplaces cannot be trusted to vet what they sell, until someone from the outside, like Consumer Reports in this case, points out that the products are not safe.



Source link

Lisa Holden
Lisa Holden
Lisa Holden is a news writer for LinkDaddy News. She writes health, sport, tech, and more. Some of her favorite topics include the latest trends in fitness and wellness, the best ways to use technology to improve your life, and the latest developments in medical research.

Recent posts

Related articles

Alphabet X’s Bellwether harnesses AI to help predict natural disasters

The world is on fire. Quite literally, much of the time. Predicting such disasters before they get...

Don’t blame MKBHD for the fate of Humane AI and Fisker

Humane AI raised more than $230 million before it even shipped a product. And when it finally...

Dark Space is building a rocket-powered boxing glove to push debris out of orbit

Paris-based Dark Space is taking on the dual problems of debris and conflict in orbit with their...

Adtech giants like Meta must give EU users real privacy choice, says EDPB

The European Data Protection Board (EDPB) has published new guidance which has major implications for adtech giants...

LinkedIn testing paid Premium Company page with AI-assisted content creation

LinkedIn — the social platform that targets the working world — has quietly started testing another way...

TikTok starts testing its Instagram competitor TikTok Notes in Canada and Australia

TikTok is rolling out its Instagram competitor, TikTok Notes, in select markets. The app is available on...

Cherub, an angel investing community inspired by dating apps, entices investors and founders to pair up

Jaclyn Johnson and Angeline Vuong were on a hike deliberating how hard it can be for people...

Inversion Space will test its space-based delivery tech in October

Inversion Space is aptly named. The three-year-old startup’s primary concern is not getting things to space, but...