A company that manufactures video doorbells found by Consumer Reports to contain serious security vulnerabilities has issued a fix, the consumer advocacy group is reporting. Eken Group has issued a firmware update for the affected security products under its own name, as well as those from other brands it has licensing deals with, including Fishbot, Rakeblue, Tuck, and others. All the video doorbells use the Aiwit smartphone app and could be purchased from popular online retailers like Amazon, Shein, Temu, and Walmart.
Back in February, CR reported that it found vulnerabilities in Eken-produced video doorbells that “could allow a dangerous person to take control of the video doorbell on their target’s home.”
Gaining access to the doorbell didn’t even require any level of hacking knowledge: bad actors could simply download the Aiwit app, go to their target’s home, and hold down the doorbell’s button to pair it with their own smartphones, change their Wi-Fi network, and take control of the device.
Additionally, anyone with the doorbell’s serial number could remotely view still images from the video feed — no password or account required, CR security experts found. Doorbell owners didn’t receive a notification of any kind if another user accessed their video feed in this manner.
The doorbells also didn’t encrypt the user’s home IP address or Wi-Fi network, leaving both potentially exposed to criminals.
The doorbells that CR initially rated were sold under the brand names Eken and Tuck and seemed identical, down to them both requiring users to download the Aiwit smartphone app. The group later found 10 other seemingly identical doorbells made by Eken but sold under a number of different brand names.
CR has reviewed Eken’s firmware update and says the problem has been fixed. “While we would prefer that products be safe and secure from their initial launch, the ability of our testing to uncover vulnerabilities results in better products for consumers,” CR’s senior director of product testing, Maria Rerecich, said in its report.
As a result of CR’s reporting, the FCC has asked Amazon, Sears, Shein, Temu, and Walmart for more details about how they vet products sold on their platform. None of the five retailers have responded to CR’s request for comment on the matter.
Eken’s video doorbells also lacked Federal Communications Commission ID labels, which are required by law, CR found. The company has since added the FCC IDs to the electronic manuals for the doorbells.
Since CR published its February report, many of the Eken doorbells have been pulled from online retailers. Notably, a number of the doorbells were selected as Amazon: Overall Picks or with the Amazon’s Choice badge, a label with mysterious criteria that Amazon has refused to explain fully and can be found on many dubious products.
If you own an Eken-produced video doorbell, be sure to check if your firmware is up to date. Your doorbell should receive the update automatically, but it’s smart to double-check. Go to the “Devices” page on the Aiwit app and tap on the doorbell’s name, which should open up the settings. The firmware number should be 2.4.1 or higher, which indicates it’s up to date.
https://www.theverge.com/2024/4/26/24141844/eken-firmware-update-consumer-reports-video-doorbell-security-vulnerability