🚪 These video doorbells have terrible security, consumer experts warn

Devices are also sold by Amazon, Walmart, Sears, and other retailers; big platforms have faced few consequences for shipping flawed products

On a recent Thursday afternoon, a Consumer Reports journalist received an email containing a grainy image of herself waving at a doorbell camera she’d set up at her back door.

If the message came from a complete stranger, it would have been alarming. Instead, it was sent by Steve Blair, a CR privacy and security test engineer who had hacked into the doorbell from 2,923 miles away.

Blair had pulled similar images from connected doorbells at other CR employees’ homes and from a device in our Yonkers, N.Y., testing lab. While we expected him to gain access to these devices, it was still a bit shocking to see photos of the journalist’s deck and backyard. After all, video doorbells are supposed to help you keep an eye on strangers at the door, not let other people watch you.

Blair was able to capture those images because he and fellow test engineer David Della Rocca had found serious security flaws in this doorbell, along with others sold under different brands but apparently made by the same manufacturer. The doorbells also lack a visible ID issued by the Federal Communications Commission (FCC) that’s required by the agency’s regulations, making them illegal to distribute in the U.S.

Thousands of these video doorbells are sold each month on Amazon and other online marketplaces, including Walmart, Sears, and the globally popular marketplaces Shein and Temu. Experts say they’re just a drop in the flood of cheap, insecure electronics from Chinese manufacturers being sold in the U.S.

Previously, regulators have asserted that thousands of unsafe products, including potentially dangerous children’s sleepwear, carbon monoxide detectors and dietary supplements, have been widely available on Amazon.

“Big e-commerce platforms like Amazon need to take more responsibility for the harms generated by the products they sell,” said Justin Brookman, director of technology policy for CR. “There is more they could be doing to vet sellers and respond to complaints. Instead, it seems like they’re coasting on their reputation and saddling unknowing consumers with broken products.”

Consumer Reports warn of security flaws in certain doorbell cameras (Copyright 2024 by WKMG ClickOrlando - All rights reserved.)
Consumer Reports warn of security flaws in certain doorbell cameras (Copyright 2024 by WKMG ClickOrlando - All rights reserved.)

Danger at the Door

Blair and Della Rocca discovered the problems while evaluating a number of video doorbells for our regular ratings program. They were sold under two brand names, Eken and Tuck.

The two devices stood out not just because of the security problems but also because they appeared to be identical, right down to the plain white box they came in, despite having different brand names. Online searches quickly revealed at least 10 more seemingly identical video doorbells being sold under a range of brand names, all controlled through the same mobile app, called Aiwit, which is owned by Eken.

We bought two of these products, sold under the Fishbot and Rakeblue brands, and found the same vulnerabilities.

The security issues are serious. People who face threats from a stalker or estranged abusive partner are sometimes spied on through their phones, online platforms, and connected smartphone devices. The vulnerabilities CR found could allow a dangerous person to take control of the video doorbell on their target’s home, watching when they and their family members come and go.

Consumer Reports warn of security flaws in certain doorbell cameras (Copyright 2024 by WKMG ClickOrlando - All rights reserved.)

“Products like these, by failing to prioritize trust and safety, put domestic violence victims at risk. Without question, the one place a victim needs to be safe is in their home,” said Adam Dodge, CEO of EndTAB, a nonprofit that provides information on how to combat technology-enabled abuse. “Devices designed to make someone feel safe at home, while actually doing the opposite, shouldn’t be allowed on the market.”

CR tried to reach company officials at Eken and Tuck, to warn them of the problems, hoping to have the issues fixed before reporting on them publicly. We have not received responses.

First, these doorbells expose your home IP address and WiFi network name to the internet without encryption, potentially opening your home network to online criminals. Security experts worry there could be more problems, including poor security on the company servers where videos are being stored.

“The fact that they aren’t using encryption is egregious,” said Beau Woods, a digital security researcher with the cybersecurity advocacy group I Am The Cavalry. “It indicates there may be a whole host of bad practices.”

The video doorbells pose a special threat to individuals who are in danger from people who know where they live.

Anyone who can physically access one of the doorbells can take over the device — no tools or fancy hacking skills are needed. Let’s imagine that an abusive ex-boyfriend wants to watch the comings and goings of his former partner and her children. He’d simply need to create an account on the Aiwit smartphone app, then go to his target’s home and hold down the doorbell button to put it into pairing mode. He could then connect the doorbell to a WiFi hotspot and take control of the device.

As the new “owner” of the device, he could now watch who comes and goes, and when.

And he can see the device’s serial number. That’s dangerous because of the company’s poor security systems.

When the stalker pairs the device to his phone, the original owner will get an email saying she no longer has access to the device. That might seem like a small technological glitch she can solve by simply re-pairing the device with her own phone, taking back control.

But once the stalker has the serial number, he can continue to remotely access still images from the video feed. (The CR journalist provided the serial number to Blair to allow him to remotely access her camera.) No password is needed, or even an account with the company, and no notification is sent to the doorbell’s owner.

In our scenario, the dangerous actor will continue to see time-stamped photos of everyone who comes and goes. And if he chooses to share that serial number with other individuals, or even post it online, all those people will be able to monitor the images, too.

“Unencrypted personal data in network traffic is unfortunately not uncommon with connected devices, but I was shocked to find such a gaping security hole allowing complete strangers to freely harvest private video thumbnails,” Blair said. “The lack of basic access controls contradicts basic information security principles. It’s alarming.”

Many Brands, One Flawed Device

Eken, Tuck and the other brands we saw aren’t the biggest names in the video doorbell market, but they are strong sellers. The doorbells appeared in multiple listings on Amazon—we found eight for the Eken video doorbell and three for the Tuck version of the product. Those listings generated more than 4,200 sales in January 2024 alone.

We also found these doorbells for sale at walmart.com, sears.com, and on the global marketplaces Shein and Temu. And seemingly identical video doorbells are available from even more brands. Walmart.com, for example, is selling them under the names Andoe, Gemee, and Luckwolf.

“The large variety of brands, devices, versions, and sellers can make it extremely hard for buyers” to find safe, reliable products, Woods said. “It also increases the difficulty level for those trying to get unsafe or illegal devices out of these marketplaces.”

In addition to contacting Eken and Tuck, Consumer Reports also told Amazon, Walmart, Sears, Shein, and Temu what we’d found.

Temu said in an emailed statement that it was reviewing CR’s findings and had removed from its website all video doorbells using the Aiwit app and made by Eken—but similar-looking if not identical doorbells remained on the site. Walmart told CR via email that it expects the products sold in its marketplace “to be safe, reliable and compliant with our standards and all legal requirements. Items that are identified to not meet these standards or requirements will be promptly removed from the website and remain blocked.”

Amazon, Sears, and Shein didn’t respond to questions from CR’s journalists.

As of the end of February 2024, most of the products we found online were still available for sale on those retailers’ websites.

On top of the security vulnerabilities, CR’s testers noticed that the doorbells lacked FCC identifiers that are supposed to be visible to consumers. These codes let you look up a product in an FCC database to see that it’s been tested to ensure it doesn’t cause harmful radio interference with other electronics or exceed safe radio-frequency limits for human health.

We found FCC records online for some of the devices, and it’s possible they have all been properly tested. However, without visible IDs, they are illegal to sell in the U.S., according to published FCC rules. (The agency did not comment directly on our findings.)

Amazon provides a link on every product listing to alert the company to problematic items. We used the link to report the missing FCC ID for the Tuck video doorbell, but days later, it was still available.

Fast, Cheap R&D

Over the past few months, Eken and Tuck video doorbells have often carried badges saying “Amazon’s Choice: Overall Pick.” The badges appeared even after CR alerted Amazon to the security problems.

To many shoppers, an Amazon’s Choice label might imply that Amazon had deliberately chosen that video doorbell as one to keep in stock, and was promoting it for its quality. But that’s not the way it works.

Like more than 6 out of every 10 items sold on Amazon, Eken’s products are posted by an independent company, with Amazon generally handling services such as warehouse services, shipping, and returns. Anyone can sell nearly anything on Amazon, and the company earned roughly $140 billion in revenue from third-party sellers in 2023.

That allows shoppers to find a vast array of products, but it can also make it hard to know just what you’re buying, and who’s selling it.

All 10 of the doorbell brands, as well as the Aiwit app, appear to be owned by an 18-year-old company called Eken Group Ltd., based in Shenzhen, China. The company also has an office in Southern California run out of an apartment in Temple City.

Eken didn’t respond to CR’s questions about its video doorbells. However, for many Chinese tech companies, selling cheap hardware under multiple brand names can increase sales in a product category that’s very popular — until it isn’t, according to Andrew Huang, a prominent engineer and software expert who goes by the name Bunnie and is the author of “The Essential Guide to Electronics in Shenzhen.” At that point, Huang said, the company will switch products, moving on to the next big thing.

“For the security camera market, a brand is just a brand — think of it more like a marketing agency that can do a bit of injection molding and package design to create a look and feel, but they don’t do much beyond that,” he said. “They don’t hold a lot of inventory, and they flit in and out of existence, surfing the trends of commodity markets.”

To create their products, such companies can take a reference design from a chip company that makes the brains inside electronic devices, buy the relevant electronics from neighboring factories, manufacture a cheap plastic case, and then assemble the final product.

Huang said some Chinese companies can put together a new electronic device in as little as two weeks.

However, that kind of fast, cheap product development doesn’t lend itself to cybersecurity, according to Steve Hanna, who is responsible for IoT security strategy and technology at Infineon Technologies, a semiconductor company.

“It’s always the case that building a more secure product costs more,” he said, but for many low-cost IoT companies there is little economic incentive to include security because it is invisible to most consumers.

If such products haven’t been vetted by Amazon, why are they receiving Amazon’s Choice badges? According to a company FAQ, the designation is based on a product’s “ratings, price, popularity, product availability and fast delivery.” They are generated dynamically by an algorithm and can suddenly pop up, then disappear just as quickly.

What Consumers Can Do

If you own one of these doorbells, Consumer Reports recommends that you disconnect it from your home WiFi and remove it from your door. CR has evaluated video doorbells with much better security from brands including Logitech, SimpliSafe, and Ring — which is actually owned by Amazon.

More broadly, don’t assume that large online retail platforms have evaluated the safety of all the products they sell. Federal agencies and journalists have reported a variety of dangerous or illegal products for sale on Amazon over the years.

If you bought flawed items from a local store, it might be liable for damages or fines, but in previous legal proceedings, Amazon has claimed that it’s not responsible for items sold by third parties on its platform, because for those sellers it’s just acting as a logistics company. The Consumer Product Safety Commission disagrees and has tussled with Amazon over this issue in the past. It is considering an order that would officially classify the marketplace as a “distributor of goods” with the responsibilities of conventional retailers, according to reporting in The Wall Street Journal. If such an order goes through, similar rulings could affect other online marketplaces.

Meanwhile, Consumer Reports is asking online retailers to take steps to guarantee the quality of the products available on their platforms. CR has also advocated for legislation to make online platforms strictly liable for selling defective products and pushed for laws that make it clear that retailers need to take reasonable steps to keep harmful, fraudulent, or insecure products off their platforms.

And we shared our findings about video doorbells with the Federal Trade Commission, which has the power to remove products like these from the marketplace. The agency declined to comment on what action it might take, noting that its investigations are private.

“Regulators need to be doing more to address the torrent of junk that’s out there,” said CR’s Brookman. “That means going after the manufacturers, but also the platforms that sell them — and apparently even explicitly recommend them.”