Eken Fixes Security Issues in Doorbell Cameras Sold by Amazon, Walmart, Others

Vulnerabilities found by CR could have allowed a stalker to monitor household members

By Daniel Wroclawski

April 25, 2024

Graphic: Consumer Reports

If you’re still using a video doorbell made by Eken, Fishbot, Rakeblue, Tuck, or any of several other brands that use similar hardware and the Aiwit smartphone app, then you’ll want to make sure it has received an important firmware update. (See details below.)

The various doorbells and the app are all produced by a company called Eken Group, which sells products under its own name and also has licensing deals with other video doorbell brands. The firmware update is one of several measures the company has taken to fix vulnerabilities found by Consumer Reports. The most serious of them could have allowed a stalker or other dangerous actor to monitor the feed from the doorbell camera.

Consumer Reports had labeled the Eken Smart Video Doorbell and Tuck Sharkpop Doorbell Camera with “Don’t Buy: Safety Risk” messages in our video doorbell ratings. Now that our digital privacy and security testing team has confirmed the problems have been fixed, we’ve removed those labels. (Nearly identical video doorbells covered by our investigation presented the same problems but haven’t appeared in CR ratings.)

“We’re pleased to see Eken fix the issues with its products in response to our findings,” says Maria Rerecich, CR’s senior director of product testing. “While we would prefer that products be safe and secure from their initial launch, the ability of our testing to uncover vulnerabilities results in better products for consumers.”

In addition to providing poor security, these doorbells lacked legally required Federal Communications Commission ID labels on their packaging and/or plastic casings. Eken says all of its products have undergone mandatory FCC testing. The company has added the FCC IDs to the electronic manuals for the doorbells, which can be accessed from the Aiwit app. The FCC declined to comment.

In an emailed statement, an Eken representative said, “We appreciate the feedback from Consumer Reports and our valued customers. We are committed to continuously improving our products to ensure the highest standards of security and compliance and have undertaken significant work.”

The video doorbells were being sold on a number of online marketplaces. On Amazon, they were sometimes tagged “Amazon’s Choice: Overall Pick.” They were also for sale on the Sears, Shein, Temu, and Walmart websites.

As of mid-April, the doorbells identified by CR under the brands Eken, Tuck, Fishbot, Rakeblue, Andoe, Gemee, and Luckwolf were not for sale on any of these retail sites. According to Eken, the doorbells featured in CR’s ratings have been discontinued. However, Amazon was selling similar-looking doorbells under the Aiwit and Sunnyjane brands.

In response to the CR report, FCC Commissioner Geoffrey Starks contacted the five retailers asking for information on several issues, including whether the products they sell are checked for compliance with FCC regulations. The retailers have not replied to CR’s requests for comment.

Consumer Reports also shared the initial findings with the Federal Trade Commission. CR asked the agency to intervene to ensure that all video doorbells are governed by strong standards to protect consumers. The agency declined to comment.

“Unfortunately, the internet of things is rife with bad data security practices. Even when there are laws mandating certain security practices, there’s not enough awareness or enforcement to change practices industrywide,” says Justin Brookman, director of technology policy for CR. “People are starting to wake up to the importance of good data security, but we still have a long way to go.”

How to Check Your Doorbell’s Firmware

These doorbells should receive the firmware update automatically, which is what we observed with the four test samples in CR’s labs. But you should confirm that your doorbell is running a current version.

To check the firmware version, go to the Devices page in the Aiwit app and tap the doorbell’s name to open the settings, which lists the firmware version number. Depending on the brand and model, the correct number will be 2.4.1 or higher. If that’s what you see, your doorbell is up to date.

If you see a lower version number, go back to the Devices page in the app and look for a red chat bubble at the bottom right of the doorbell tile. Tap that bubble icon to find a message about the firmware update. The message should tell you to keep the doorbell connected to WiFi while the update downloads automatically.

At this point, you’ll want to wait a few hours (for one doorbell, our testers had to wait almost two days) and check the firmware version again to make sure the update is complete.

Daniel Wroclawski

Dan Wroclawski is a home and appliances writer at Consumer Reports, covering products ranging from refrigerators and coffee makers to cutting-edge smart home devices. Before joining CR in 2017, he was an editor at USA Today’s Reviewed, and launched the site’s smart home section. In his spare time, you can find him tinkering with one of the over 70 connected devices in his house. Follow Dan on Facebook and Twitter @danwroc.