Imagine setting up a shiny new video doorbell from Amazon on your front door to surveil all your family’s comings and goings, your friends’ visits, your packages getting delivered, your daily schedule, and your kids as they come home from school. Now picture this: Someone thousands of miles away watching your video feed unbeknownst to you.
Also: The best Ring doorbells
This is the scenario a Consumer Reports investigation discovered from video doorbell brands widely sold on Amazon, Walmart, Temu, and Shein. The investigation focused on video doorbells from at least ten different brands discovered to come from the same Chinese manufacturer, all of which used the same mobile app, Aiwit.
Here’s how CR found that the video doorbells were easy targets for a cyberattack:
- They are lacking a visible ID issued by the FCC, making it illegal to distribute them in the U.S., as all electronic devices must have one.
- The system doesn’t encrypt your home IP address and Wi-Fi network name, exposing your information.
- Anyone with physical access to the doorbell can take it over by resetting it, which entails downloading the Aiwit app, long-pressing the doorbell button, and pairing the doorbell with their phone — all in minutes. This would then give that person access to the video feed, history, alerts, and the doorbell’s serial number.
- Even if someone resets the account password to take back control of the account, the “hacker” can still remotely access still images from the video feed using the video doorbell’s serial number without letting the owner know.
Legal protections are in place to ensure smart home devices like video doorbells and other security cameras make it hard for attackers to hack them. Unfortunately, the Consumer Reports investigation found that many devices sold in major online stores violate these regulations.
Also: Aqara’s Matter-over-Thread smart lock brings homes closer to seamless security
The Federal Communications Commission (FCC) has certain rules for electronic devices in the US to certify that they comply with the required norms for wireless communication, including an ID. This unique identifier certifies the device complies with safety standards for electromagnetic interference and wireless communication standards.
“Big e-commerce platforms like Amazon need to take more responsibility for the harms generated by the products they sell,” says Justin Brookman, director of technology policy for CR. “There is more they could do to vet sellers and respond to complaints. Instead, it seems like they’re coasting on their reputation and saddling unknowing consumers with broken products.”
The different video doorbell brands have generated thousands of sales in 2024 alone, including Eken, Tuck, Fishbot, Andoe, Gemee, Luckwolf, and Rakeblue. Though CR has reported them, some still appear on Amazon, a few with the “Amazon’s Choice label.”
The biggest problem is that an Amazon’s Choice label can give off a misleading interpretation, as is certainly the case here. Aside from creating transparency issues as to why some products receive the label, there have been instances where products have received fake reviews, raising concerns about the label’s reliability.
Also: Everything you need for smart home security
“So many people are hoodwinked by the cheap products you can buy through certain massive online outlets. But you need to be careful. Most of these products have Tuya firmware and they can have significant privacy and security issues,” Bret Jordan, Afero’s chief security strategist, shared on LinkedIn after reading the investigation.
Afero is an IoT services platform behind The Home Depot’s branded smart home products. As a cybersecurity expert focused on building a security-focused foundation for Afero IoT devices, Jordan believes the US government isn’t doing enough to protect consumers from lax security and low privacy standards that other countries have.
“For so long I have heard that the security of a lightbulb or other small constrained device does not matter. But it actually does, and in a very big and real way and no amount of bolt-on after-the-fact security is going to help. You need solutions that are secure by design and secure from the very first line of code,” Jordan added.
CR reported the lack of security in these video doorbells to all sellers. Still, the only retailer that had responded to the reporting agency at press time was Temu, who promised to stop the sales of these doorbells. Despite CR’s warnings, Temu had only removed some of their listings for these devices.