Researchers have found a security vulnerability in several popular smart doorbells that could allow bad actors to access footage from the devices.

The researchers, who work at the nonprofit organization Consumer Reports, published their findings today. The vulnerability was discovered in doorbells sold by a Shenzhen-based company called Eken under the Eken and Tuck brands. It’s believed that the company sells nearly identical doorbells under at least 10 other brands.

The vulnerability identified by Consumer Reports affects a mobile app, Aiwit, that customers use to manage their Eken devices. Hackers with physical access to a vulnerable doorbell can leverage the app to remotely access footage of arrivals and departures at a home. Moreover, that access can’t be easily removed by the doorbell’s owner.

According to Consumer Reports, exploiting the vulnerability simply requires a hacker to create an account in the Aiwit app and then press the button of a targeted doorbell. Pressing the button connects the device to a nearby Wi-Fi hotspot. From there, hackers can pair the doorbell to their smartphones and access its footage in the Aiwit interface.

Consumers who use an Eken doorbell receive a notification when the device’s configuration is changed in this manner. As a result, they can in theory unlink the hacker’s smartphone and thereby block unauthorized access to footage. In practice, however, bad actors can retain their access.

After hackers take over an Eken doorbell, they gain the ability to view the device’s serial number in the Aiwit app. Consumer Reports found that this series number can be used to remotely access timestamped still images from a doorbell even after the device is no longer synced to a bad actor’s handset.

“No password is needed, or even an account with the company, and no notification is sent to the doorbell’s owner,” Consumer Reports detailed. If a hacker shares the serial number with other people, they too gain the ability to access images from the doorbell.

The researchers also identified other issues in the affected products. They found that the devices expose the user’s home IP address and Wi-Fi network to the public internet without encryption, which can potentially increase the risk of cyberattacks. “Security experts worry there could be more problems, including poor security on the company servers where videos are being stored” the researchers added.

The U.S. Federal Communications Commission requires consumer devices to ship in a case that displays a unique identifier. This identifier allows customers to find technical information about a product in an FCC database. According to Consumer Reports, several Eken doorbells don’t display such a code on their case, which makes them illegal to distribute in the U.S.

The nonprofit has shared its findings with the FCC, as well as Eken and several online retailers that sold the company’s doorbells through their websites. Consumer Reports is recommending that customers remove the vulnerable devices and disconnect them from the local Wi-Fi network.

Image: Jan Alexander/Pixabay