Consumer advocacy groups have discovered alarming security flaws in video doorbells manufactured by Eken Group and sold under various brand names, including Eken, Fishbot, Rakeblue, and Tuck. These devices utilize the Aiwit smartphone app, making them accessible from popular online retailers like Amazon, Shein, Temu, and Walmart.
In February, a report exposed vulnerabilities that enabled malicious individuals to remotely take control of a video doorbell at a targeted residence. Gaining access required no hacking expertise; individuals could simply download the Aiwit app, approach the target’s home, and press the doorbell button to pair it with their own smartphone, allowing them to modify Wi-Fi settings and gain full control of the device.
Furthermore, security experts discovered that anyone with a doorbell’s serial number could remotely view still images from the video feed without requiring a password or account. Additionally, the devices failed to encrypt the user’s home IP address and Wi-Fi network, potentially exposing this information to criminals.
An initial assessment identified identical doorbells sold under the Eken and Tuck brands, both requiring the Aiwit smartphone app. Subsequent investigations revealed 10 additional seemingly identical doorbells manufactured by Eken but marketed under various brand names.
Upon reviewing Eken’s firmware update, the organization confirmed the resolution of the identified vulnerabilities. Despite advocating for the release of secure products from the outset, the group’s testing played a vital role in improving consumer safety.
As a consequence of these revelations, the FCC has initiated inquiries with Amazon, Sears, Shein, Temu, and Walmart regarding their product vetting procedures. None of the retailers have yet responded to requests for comment.
In addition to the security concerns, it was also discovered that Eken’s video doorbells lacked Federal Communications Commission (FCC) ID labels, a legal requirement. The company has since appended the FCC IDs to the electronic manuals for the devices.
In response to the February report, several Eken doorbells have been withdrawn from online retailers. It is noteworthy that many of these doorbells had been designated as “Amazon’s Choice” or “Overall Picks,” labels that Amazon has been criticized for granting without sufficient explanation and that can often be found on dubious products.
Owners of Eken-produced video doorbells are urged to verify that their firmware is up to date. The update should be applied automatically, but double-checking is recommended. Within the Aiwit app, navigate to the “Devices” page and tap the doorbell’s name to access its settings. The firmware version should be 2.4.1 or higher to indicate it is current.
Eken’s video doorbells have raised concerns over user privacy and security, prompting a firmware update and prompting further investigation into the vetting practices of major online retailers. Consumers are advised to remain vigilant regarding the security of their connected devices and to ensure they are using the latest software updates to protect their data and privacy.
