In a recently published article, Consumer Reports (CR) warns people about a defective video doorbell being sold on Amazon that can easily be taken over by a complete stranger.
The device itself does not have a specific name as it is sold under different brand names on multiple trading platforms; not just Amazon. These names include Fishbot, Gemee, Luckwolf, Rakeblue, and Tuck. It doesn't matter where or who you buy the doorbell from, as they can all be controlled using the Aiwit app, which in turn is owned by the Chinese electronics company Eken. CR, as part of his investigation, purchased the device and had a couple of staff members test its security. Needless to say, it's really bad. All a bad actor needs to take over Eken's product is to have the Aiwit app installed on their smartphone.
Bad security
According to their findings, a random person can walk up to a target's house, “press and hold the doorbell button to put it in pairing mode,” then connect it to their phone's Wi-Fi hotspot and take full control. What's even scarier is that the access allows strangers to see the doorbell's serial number. With that number, they can remotely view still images of the source video at any time. If that wasn't enough, the images are timestamped so you know exactly when someone leaves and returns home.
The security problems do not end there. These doorbells actually “expose your home IP address and” the name of your Wi-Fi network to the Internet without any encryption attached. Serial numbers can be shared with other people online, giving those people access as well. CR notes that the devices “lack visible identification issued by the Federal Communications Commission (FCC).” Without this label, it is actually illegal to sell the product in the United States.
What's particularly egregious is that the Eken doorbell received the Amazon's Choice badge, meaning the platform promotes it as a high-quality item.
After investigation, CR reached out to various platforms to inform them about the faulty doorbell. Few responded; one of which was Walmart, who told the publication that they removed the product from their website with no plans to bring it back. Amazon, on the other hand, remains silent. They were still selling the device at the time of writing. Consumer Reports even reached out to Eken, but was met with radio silence. TechRadar has also contacted Amazon and will update this story with its response.
It is worth mentioning that Eken sells indoor cameras, although it is unknown if these also have the same vulnerabilities. CR told TheVerge that they have not tested the other models nor does it appear that the Aiwit servers have any type of defense against potential hackers. Anyone can submit a bunch of requests and seemingly get access to people's feeds without much rejection.
Consumer Reports recommends current homeowners immediately disconnect the Eken Video Doorbell from their Wi-Fi and remove it from their door. They are also asking online retailers to be more proactive in ensuring the quality of the items they sell.
If you're looking for other options, check out TechRadar's list of the best video doorbells for 2024.
