These Video Doorbells Have Terrible Security. Amazon Sells Them Anyway.
The devices are also sold by Walmart, Sears, and other retailers—and big platforms have faced few consequences for shipping flawed products
Update: This article was originally published on Feb. 29, 2024. It was updated on March 15, 2024, to reflect information provided by Eken after publication. (That information appears below in italics.) In April, CR confirmed that Eken had issued fixes for the problems we’d found.
On a recent Thursday afternoon, a Consumer Reports journalist received an email containing a grainy image of herself waving at a doorbell camera she’d set up at her back door.
If the message came from a complete stranger, it would have been alarming. Instead, it was sent by Steve Blair, a CR privacy and security test engineer who had hacked into the doorbell from 2,923 miles away.
Blair had pulled similar images from connected doorbells at other CR employees’ homes and from a device in our Yonkers, N.Y., testing lab. While we expected him to gain access to these devices, it was still a bit shocking to see photos of the journalist’s deck and backyard. After all, video doorbells are supposed to help you keep an eye on strangers at the door, not let other people watch you.
Blair was able to capture those images because he and fellow test engineer David Della Rocca had found serious security flaws in this doorbell, along with others sold under different brands but apparently made by the same manufacturer. The doorbells also lack a visible ID issued by the Federal Communications Commission (FCC) that’s required by the agency’s regulations, making them illegal to distribute in the U.S. (The doorbell manufacturer, Eken, did not respond to queries before publication, but it contacted CR after publication and stated that new packaging with the ID would be available in about a month.)
Thousands of these video doorbells are sold each month on Amazon and other online marketplaces, including Walmart, Sears, and the globally popular marketplaces Shein and Temu. Experts say they’re just a drop in the flood of cheap, insecure electronics from Chinese manufacturers being sold in the U.S.
Previously, regulators have asserted that thousands of unsafe products, including potentially dangerous children’s sleepwear, carbon monoxide detectors, and dietary supplements, have been widely available on Amazon.
"Big e-commerce platforms like Amazon need to take more responsibility for the harms generated by the products they sell,” says Justin Brookman, director of technology policy for CR. “There is more they could be doing to vet sellers and respond to complaints. Instead, it seems like they’re coasting on their reputation and saddling unknowing consumers with broken products."
Photo: Consumer Reports Photo: Consumer Reports
Danger at the Door
Blair and Della Rocca discovered the problems while evaluating a number of video doorbells for our regular ratings program. They were sold under two brand names, Eken and Tuck.
The two devices stood out not just because of the security problems but also because they appeared to be identical, right down to the plain white box they came in, despite having different brand names. Online searches quickly revealed at least 10 more seemingly identical video doorbells being sold under a range of brand names, all controlled through the same mobile app, called Aiwit, which is owned by Eken.
We bought two of these products, sold under the Fishbot and Rakeblue brands, and found the same vulnerabilities.
The security issues are serious. People who face threats from a stalker or estranged abusive partner are sometimes spied on through their phones, online platforms, and connected smartphone devices. The vulnerabilities CR found could allow a dangerous person to take control of the video doorbell on their target’s home, watching when they and their family members come and go.
As the new “owner” of the device, he could now watch who comes and goes, and when.
And he can see the device’s serial number. That’s dangerous because of the company’s poor security systems.
When the stalker pairs the device to his phone, the original owner will get an email saying she no longer has access to the device. That might seem like a small technological glitch she can solve by simply re-pairing the device with her own phone, taking back control.
But once the stalker has the serial number, he can continue to remotely access still images from the video feed. (The CR journalist provided the serial number to Blair to allow him to remotely access her camera.) No password is needed, or even an account with the company, and no notification is sent to the doorbell’s owner.
In our scenario, the dangerous actor will continue to see time-stamped photos of everyone who comes and goes. And if he chooses to share that serial number with other individuals, or even post it online, all those people will be able to monitor the images, too.
"Unencrypted personal data in network traffic is unfortunately not uncommon with connected devices, but I was shocked to find such a gaping security hole allowing complete strangers to freely harvest private video thumbnails,” Blair says. “The lack of basic access controls contradicts basic information security principles. It’s alarming."
Many Brands, One Flawed Device
Eken, Tuck, and the other brands we saw aren’t the biggest names in the video doorbell market, but they are strong sellers. The doorbells appeared in multiple listings on Amazon—we found eight for the Eken video doorbell and three for the Tuck version of the product. Those listings generated more than 4,200 sales in January 2024 alone.
We also found these doorbells for sale at walmart.com, sears.com, and on the global marketplaces Shein and Temu. And seemingly identical video doorbells are available from even more brands. Walmart.com, for example, is selling them under the names Andoe, Gemee, and Luckwolf.
“The large variety of brands, devices, versions, and sellers can make it extremely hard for buyers” to find safe, reliable products, Woods says. “It also increases the difficulty level for those trying to get unsafe or illegal devices out of these marketplaces.”
In addition to contacting Eken and Tuck, Consumer Reports also told Amazon, Walmart, Sears, Shein, and Temu what we’d found.
Source: Manufacturers Source: Manufacturers
Temu said in an emailed statement that it was reviewing CR’s findings and had removed from its website all video doorbells using the Aiwit app and made by Eken—but similar-looking if not identical doorbells remained on the site. Walmart told CR via email that it expects the products sold in its marketplace “to be safe, reliable and compliant with our standards and all legal requirements. Items that are identified to not meet these standards or requirements will be promptly removed from the website and remain blocked.”
Amazon, Sears, and Shein didn’t respond to questions from CR’s journalists.
As of the end of February 2024, most of the products we found online were still available for sale on those retailers’ websites.
On top of the security vulnerabilities, CR’s testers noticed that the doorbells lacked FCC identifiers that are supposed to be visible to consumers. These codes let you look up a product in an FCC database to see that it’s been tested to ensure it doesn’t cause harmful radio interference with other electronics or exceed safe radio-frequency limits for human health.
We found FCC records online for some of the devices, including Eken-branded doorbells, which means those doorbells were tested. However, without visible IDs, they are illegal to sell in the U.S., according to published FCC rules. The agency did not comment directly on our findings. (After publication, Eken notified CR that it would be adding the IDs to its products so that "the FCC ID will be properly reflected in the new packaging of the products.")
Amazon provides a link on every product listing to alert the company to problematic items. We used the link to report the missing FCC ID for the Tuck video doorbell, but days later, it was still available.
Fast, Cheap R&D
Over the past few months, Eken and Tuck video doorbells have often carried badges saying “Amazon’s Choice: Overall Pick.” The badges appeared even after CR alerted Amazon to the security problems.
To many shoppers, an Amazon’s Choice label might imply that Amazon had deliberately chosen that video doorbell as one to keep in stock, and was promoting it for its quality. But that’s not the way it works.
Source: Amazon Source: Amazon
Like more than 6 out of every 10 items sold on Amazon, Eken’s products are posted by an independent company, with Amazon generally handling services such as warehouse services, shipping, and returns. Anyone can sell nearly anything on Amazon, and the company earned roughly $140 billion in revenue from third-party sellers in 2023.
That allows shoppers to find a vast array of products, but it can also make it hard to know just what you’re buying, and who’s selling it.
All 10 of the doorbell brands, as well as the Aiwit app, appeared to be owned by an 18-year-old company called Eken Group Ltd., based in Shenzhen, China. The company also has an office in Southern California run out of an apartment in Temple City.
(Eken didn’t respond to CR’s questions about its video doorbells before publication. After publication, the company told CR that it manufactures video doorbells under its own brand, and also manufactures white-label doorbells for separately owned brands.)
For many Chinese tech companies, selling cheap hardware under multiple brand names can increase sales in a product category that’s very popular—until it isn’t, according to Andrew Huang, a prominent engineer and software expert who goes by the name Bunnie and is the author of “The Essential Guide to Electronics in Shenzhen.” At that point, Huang says, the company will switch products, moving on to the next big thing.
“For the security camera market, a brand is just a brand—think of it more like a marketing agency that can do a bit of injection molding and package design to create a look and feel, but they don’t do much beyond that,” he says. “They don’t hold a lot of inventory, and they flit in and out of existence, surfing the trends of commodity markets.”
To create their products, such companies can take a reference design from a chip company that makes the brains inside electronic devices, buy the relevant electronics from neighboring factories, manufacture a cheap plastic case, and then assemble the final product.
Huang says some Chinese companies can put together a new electronic device in as little as two weeks.
However, that kind of fast, cheap product development doesn’t lend itself to cybersecurity, according to Steve Hanna, who is responsible for IoT security strategy and technology at Infineon Technologies, a semiconductor company.
“It’s always the case that building a more secure product costs more,” he says, but for many low-cost IoT companies there is little economic incentive to include security because it is invisible to most consumers.
If such products haven’t been vetted by Amazon, why are they receiving Amazon’s Choice badges? According to a company FAQ, the designation is based on a product’s “ratings, price, popularity, product availability and fast delivery.” They are generated dynamically by an algorithm and can suddenly pop up, then disappear just as quickly.
What Consumers Can Do
If you own one of these doorbells, Consumer Reports recommends that you disconnect it from your home WiFi and remove it from your door. CR has evaluated video doorbells with much better security from brands including Logitech, SimpliSafe, and Ring—which is actually owned by Amazon.
More broadly, don’t assume that large online retail platforms have evaluated the safety of all the products they sell. Federal agencies and journalists have reported a variety of dangerous or illegal products for sale on Amazon over the years.
If you bought flawed items from a local store, it might be liable for damages or fines, but in previous legal proceedings Amazon has claimed that it’s not responsible for items sold by third parties on its platform, because for those sellers it’s just acting as a logistics company. The Consumer Product Safety Commission disagrees and has tussled with Amazon over this issue in the past. It is considering an order that would officially classify the marketplace as a “distributor of goods” with the responsibilities of conventional retailers, according to reporting in The Wall Street Journal. If such an order goes through, similar rulings could affect other online marketplaces.
Meanwhile, Consumer Reports is asking online retailers to take steps to guarantee the quality of the products available on their platforms. CR has also advocated for legislation to make online platforms strictly liable for selling defective products, and pushed for laws that make it clear that retailers need to take reasonable steps to keep harmful, fraudulent, or insecure products off their platforms.
And we shared our findings about video doorbells with the Federal Trade Commission, which has the power to remove products like these from the marketplace. The agency declined to comment on what action it might take, noting that its investigations are private. (After publication, FCC Commissioner Geoffrey Starks sent letters to the retailers cited in this article asking what steps they take to ensure that products they sell conform to FCC regulations.)
"Regulators need to be doing more to address the torrent of junk that’s out there,” says CR’s Brookman. “That means going after the manufacturers, but also the platforms that sell them—and apparently even explicitly recommend them."