Security vulnerabilities within smart doorbells have been uncovered by a team of engineers. These flaws, found in devices controlled by the Aiwit application, allow unauthorized access to images captured by the security cameras installed in other users’ homes.
Engineers Steve Blair and David Della Roca have identified these vulnerabilities in at least ten models of smart doorbells. Despite having different brand names such as Fishbot, Andoe, Gemee, Luckwolf, Rakeblue, Eken, or Tuck, these devices share the same design.
As per Consumer Reports, these doorbells, operated via the Aiwit mobile application, are sold in their thousands every month on numerous online platforms. This includes major retailers such as Amazon, Walmart, Sears, Shein, and Temu.
From their investigative work, Blair and Della Roca identified that the security flaws in these devices allow unauthorized access to camera footage. This means it’s possible for someone to monitor when individuals enter or exit their homes.
Moreover, these doorbells reveal sensitive information. This includes the IP address of the house where they are installed, the serial number of the device, and the WiFi network name without encryption. This lack of security makes it easier for individuals outside of the home to access the doorbell’s camera footage.
The researchers also discovered that these devices can be controlled in person. By pairing a device with the Aiwit application installed with the doorbell, an individual could connect the doorbell to a WiFi access point and monitor images.
Additionally, these devices were found to lack certification from the United States Federal Communications Commission (FCC). This certification is usually placed prominently on the device or packaging and verifies that the device doesn’t cause harmful radio interference or exceed safe radio frequency limits.
Though Blair and Della Roca confirmed that some of these doorbells appeared in the FCC’s online records – indicating they had been appropriately tested for safety – the lack of visible certification on the products means their sale in the United States is illegal.
‘AMAZON OPTION’
Consumer Reports has notified the distributors of these doorbells about these security issues, but has yet to receive a response from Sears, Shein, or Amazon. The latter, in fact, continued to list Eken or Tuck branded doorbells as ‘Amazon Option’ – a designation indicating high-rated, well-priced products available for immediate shipping – at the time this report was published.
It’s important to note that this is not the first instance of such security flaws. A few weeks ago, a vulnerability was discovered in the Wyze video camera system that allowed users to view other people’s homes if they had them installed. The issue was so pervasive that around 13,000 users were able to view thumbnails that were not their own.
This security incident originated from an issue with Amazon Web Services (AWS), Wyze’s cloud services provider, which temporarily disconnected the cameras from the video surveillance system.
