In a recently published article, Consumer Reports (CR) is warning people of a faulty video doorbell being sold on Amazon that can be easily commandeered by a total stranger.
The device itself doesn’t have a specific name as it’s sold under different brand names across multiple commerce platforms; not just Amazon. These names include Fishbot, Gemee, Luckwolf, Rakeblue, and Tuck. It doesn’t matter where or from whom you buy the doorbell since they can all be controlled by the Aiwit app which itself is owned by Chinese electronics company Eken. CR, as part of its investigation, bought the device and had a couple of staff members test its security. Needless to say, it’s really bad. All a bad actor needs to take over Eken’s product is to have Aiwit’s app installed on their smartphone.
Bad security
According to their findings, a random person can walk up to a target’s house, “hold down the doorbell button to put it into pairing mode”, then connect it to their phone’s Wi-Fi hotspot and take complete control. What’s even scary is gaining access allows strangers to see the doorbell’s serial number. With that number, they can remotely view still images from the source video feed at any time. If that wasn’t enough, the pictures are time stamped so they know exactly when someone leaves and comes back to their home.
The security issues don’t stop there. These doorbells actually “expose your home IP address and” the name of your Wi-Fi network to the internet without any sort of encryption attached. Serial numbers can be shared with others online, giving those people access as well. CR points out that the devices “lack a visible ID issued by the Federal Communications Commission (FCC)”. Without this label, it’s actually illegal to sell the product in the United States.
What’s particularly egregious is Eken’s doorbell was given Amazon’s Choice badge, meaning it gets promoted by the platform as a high-quality item.
Following the investigation, CR reached out to multiple platforms informing them of the faulty doorbell. Few responded; one of which was Walmart who told the publication that they’ve removed the product from their website with no plans on bringing it back. Amazon, on the other hand, is staying quiet. They were still selling the device at the time of this writing. Consumer Reports even contacted Eken, but, they were met with radio silence. TechRadar also contacted Amazon and will update this story with its response.
It’s worth mentioning Eken sells indoor cameras, although it’s unknown if these have the same vulnerabilities too. CR told TheVerge that they haven’t tested the other models nor does it appear that Aiwit servers have any sort of defense from would-be hackers. Anybody can send in a ton of requests and seemingly gain entry to people’s feed without much pushback.
Consumer Reports is recommending current owners immediately disconnect the Eken video doorbell from their Wi-Fi and remove it from their door. They’re also asking online retailers to be more proactive in ensuring the quality of the items they sell.
If you’re looking for other options, check out TechRadar’s list of the best video doorbell for 2024.