Researchers have uncovered that numerous internet-connected doorbell cameras are susceptible to a security flaw that enables hackers to hijack the camera by merely pressing and holding a button, among other vulnerabilities. These findings were released by the consumer advocacy group Consumer Reports on Thursday.
Consumer Reports' investigation detailed four major security and privacy vulnerabilities in doorbell cameras manufactured by EKEN, a Shenzhen, China-based company. EKEN produces cameras under its own brand and, seemingly, for other brands like Tuck.
Despite their affordability, these doorbell cameras, previously available on online marketplaces such as Walmart and Temu, were withdrawn from sale after Consumer Reports flagged the issues to these companies. Nevertheless, the products remain accessible through other outlets.
The research highlighted a particularly alarming issue: if an individual is near an EKEN doorbell camera, they can gain "full control" over it. This is achieved by downloading the camera's official app, Aiwit, and putting the camera into pairing mode by pressing the doorbell's button for eight seconds. With over a million downloads on Google Play, the Aiwit app is evidently widely utilized.
By creating a new account in the app and scanning the doorbell camera's QR code displayed on the app with the camera, a malicious user can add the doorbell to their account, effectively seizing control from the original homeowner's account, Consumer Reports revealed.
One mitigating aspect noted was that the camera's original owner would receive an email notification stating their "Aiwit device has changed ownership" after the takeover, based on tests conducted by Consumer Reports.
Additional concerns raised by Consumer Reports include the doorbells transmitting owners' IP addresses online, broadcasting still images captured by the cameras that could be intercepted without needing a password, and revealing the unencrypted name of the local Wi-Fi network to which the doorbell connects over the internet.
Attempts by Consumer Reports to contact EKEN regarding these security issues reportedly went unanswered.