These Video Doorbells Have Terrible Security. Amazon Sells Them Anyway.

The devices are also sold by Walmart, Sears, and other retailers—and big platforms have faced few consequences for shipping flawed products

By Stacey Higginbotham and Daniel Wroclawski

Published February 29, 2024 . Updated April 25, 2024

Photo illustration with Fishbot Video Doorbells and video still from video doorbell recording. — The Fishbot doorbell camera (shown above) is one of many sold under various brand names that all use the same mobile app, called Aiwit. Their vulnerabilities could make it easy for hackers to spy on you.

Update: This article was originally published on Feb. 29, 2024. It was updated on March 15, 2024, to reflect information provided by Eken after publication. (That information appears below in italics.) In April, CR confirmed that Eken had issued fixes for the problems we’d found.

On a recent Thursday afternoon, a Consumer Reports journalist received an email containing a grainy image of herself waving at a doorbell camera she’d set up at her back door.

If the message came from a complete stranger, it would have been alarming. Instead, it was sent by Steve Blair, a CR privacy and security test engineer who had hacked into the doorbell from 2,923 miles away.

Blair had pulled similar images from connected doorbells at other CR employees’ homes and from a device in our Yonkers, N.Y., testing lab. While we expected him to gain access to these devices, it was still a bit shocking to see photos of the journalist’s deck and backyard. After all, video doorbells are supposed to help you keep an eye on strangers at the door, not let other people watch you.

Blair was able to capture those images because he and fellow test engineer David Della Rocca had found serious security flaws in this doorbell, along with others sold under different brands but apparently made by the same manufacturer. The doorbells also lack a visible ID issued by the Federal Communications Commission (FCC) that’s required by the agency’s regulations, making them illegal to distribute in the U.S. (The doorbell manufacturer, Eken, did not respond to queries before publication, but it contacted CR after publication and stated that new packaging with the ID would be available in about a month.)

A still from video footage of Jessica on her deck from the Aiwit app — CR journalist Stacey Higginbotham received this image from a doorbell camera on her home. A CR colleague downloaded it from almost 3,000 miles away.

Thousands of these video doorbells are sold each month on Amazon and other online marketplaces, including Walmart, Sears, and the globally popular marketplaces Shein and Temu. Experts say they’re just a drop in the flood of cheap, insecure electronics from Chinese manufacturers being sold in the U.S.

Previously, regulators have asserted that thousands of unsafe products, including potentially dangerous children’s sleepwear, carbon monoxide detectors, and dietary supplements, have been widely available on Amazon.

"Big e-commerce platforms like Amazon need to take more responsibility for the harms generated by the products they sell,” says Justin Brookman, director of technology policy for CR. “There is more they could be doing to vet sellers and respond to complaints. Instead, it seems like they’re coasting on their reputation and saddling unknowing consumers with broken products."

Four of the same type of video doorbell each with generic boxes. From left to right: Tuck, Eken, Fishbot, Rakeblue. — The video doorbells we evaluated have slightly different packaging and plastic casings, but you can tell they're virtually identical, thanks to the placement of their cameras lenses, motion sensors, and doorbell buttons.

Danger at the Door

Blair and Della Rocca discovered the problems while evaluating a number of video doorbells for our regular ratings program. They were sold under two brand names, Eken and Tuck.

The two devices stood out not just because of the security problems but also because they appeared to be identical, right down to the plain white box they came in, despite having different brand names. Online searches quickly revealed at least 10 more seemingly identical video doorbells being sold under a range of brand names, all controlled through the same mobile app, called Aiwit, which is owned by Eken.

We bought two of these products, sold under the Fishbot and Rakeblue brands, and found the same vulnerabilities.

The security issues are serious. People who face threats from a stalker or estranged abusive partner are sometimes spied on through their phones, online platforms, and connected smartphone devices. The vulnerabilities CR found could allow a dangerous person to take control of the video doorbell on their target’s home, watching when they and their family members come and go.

"Products like these, by failing to prioritize trust and safety, put domestic violence victims at risk. Without question, the one place a victim needs to be safe is in their home,” says Adam Dodge, CEO of EndTAB, a nonprofit that provides information on how to combat technology-enabled abuse. “Devices designed to make someone feel safe at home, while actually doing the opposite, shouldn’t be allowed on the market."

CR tried to reach company officials at Eken and Tuck to warn them of the problems, hoping to have the issues fixed before reporting on them publicly. We did not receive responses.

(After publication, Eken contacted CR and in a subsequent discussion said it was addressing the findings. “Eken has a dedicated R&D team and a robust and thorough R&D process to ensure our consumers’ privacy and safety are protected,” the company said in an emailed statement. CR will evaluate the company’s changes once they have rolled out to consumers.)

First, these doorbells expose your home IP address and WiFi network name to the internet without encryption, potentially opening your home network to online criminals. Security experts worry there could be more problems, including poor security on the company servers where videos are being stored.

“The fact that they aren’t using encryption is egregious,” says Beau Woods, a digital security researcher with the cybersecurity advocacy group I Am The Cavalry. “It indicates there may be a whole host of bad practices.”

The video doorbells pose a special threat to individuals who are in danger from people who know where they live.

Anyone who can physically access one of the doorbells can take over the device—no tools or fancy hacking skills needed. Let’s imagine that an abusive ex-boyfriend wants to watch the comings and goings of his former partner and her children. He’d simply need to create an account on the Aiwit smartphone app, then go to his target’s home and hold down the doorbell button to put it into pairing mode. He could then connect the doorbell to a WiFi hotspot and take control of the device.

Two cell phones showing two different screenshots from the Aiwit app, one of the live view of Jessica's deck, and the other a calendar of past recordings. — All of the doorbells CR evaluated use the Aiwit smartphone app.

As the new “owner” of the device, he could now watch who comes and goes, and when.

And he can see the device’s serial number. That’s dangerous because of the company’s poor security systems.

When the stalker pairs the device to his phone, the original owner will get an email saying she no longer has access to the device. That might seem like a small technological glitch she can solve by simply re-pairing the device with her own phone, taking back control.

But once the stalker has the serial number, he can continue to remotely access still images from the video feed. (The CR journalist provided the serial number to Blair to allow him to remotely access her camera.) No password is needed, or even an account with the company, and no notification is sent to the doorbell’s owner.

In our scenario, the dangerous actor will continue to see time-stamped photos of everyone who comes and goes. And if he chooses to share that serial number with other individuals, or even post it online, all those people will be able to monitor the images, too.

"Unencrypted personal data in network traffic is unfortunately not uncommon with connected devices, but I was shocked to find such a gaping security hole allowing complete strangers to freely harvest private video thumbnails,” Blair says. “The lack of basic access controls contradicts basic information security principles. It’s alarming."

Many Brands, One Flawed Device

Eken, Tuck, and the other brands we saw aren’t the biggest names in the video doorbell market, but they are strong sellers. The doorbells appeared in multiple listings on Amazon—we found eight for the Eken video doorbell and three for the Tuck version of the product. Those listings generated more than 4,200 sales in January 2024 alone.

We also found these doorbells for sale at walmart.com, sears.com, and on the global marketplaces Shein and Temu. And seemingly identical video doorbells are available from even more brands. Walmart.com, for example, is selling them under the names Andoe, Gemee, and Luckwolf.

“The large variety of brands, devices, versions, and sellers can make it extremely hard for buyers” to find safe, reliable products, Woods says. “It also increases the difficulty level for those trying to get unsafe or illegal devices out of these marketplaces.”

In addition to contacting Eken and Tuck, Consumer Reports also told Amazon, Walmart, Sears, Shein, and Temu what we’d found.

Temu said in an emailed statement that it was reviewing CR’s findings and had removed from its website all video doorbells using the Aiwit app and made by Eken—but similar-looking if not identical doorbells remained on the site. Walmart told CR via email that it expects the products sold in its marketplace “to be safe, reliable and compliant with our standards and all legal requirements. Items that are identified to not meet these standards or requirements will be promptly removed from the website and remain blocked.”

Amazon, Sears, and Shein didn’t respond to questions from CR’s journalists.

As of the end of February 2024, most of the products we found online were still available for sale on those retailers’ websites.

On top of the security vulnerabilities, CR’s testers noticed that the doorbells lacked FCC identifiers that are supposed to be visible to consumers. These codes let you look up a product in an FCC database to see that it’s been tested to ensure it doesn’t cause harmful radio interference with other electronics or exceed safe radio-frequency limits for human health.

We found FCC records online for some of the devices, including Eken-branded doorbells, which means those doorbells were tested. However, without visible IDs, they are illegal to sell in the U.S., according to published FCC rules. The agency did not comment directly on our findings. (After publication, Eken notified CR that it would be adding the IDs to its products so that "the FCC ID will be properly reflected in the new packaging of the products.")

Amazon provides a link on every product listing to alert the company to problematic items. We used the link to report the missing FCC ID for the Tuck video doorbell, but days later, it was still available.

Fast, Cheap R&D

Over the past few months, Eken and Tuck video doorbells have often carried badges saying “Amazon’s Choice: Overall Pick.” The badges appeared even after CR alerted Amazon to the security problems.

To many shoppers, an Amazon’s Choice label might imply that Amazon had deliberately chosen that video doorbell as one to keep in stock, and was promoting it for its quality. But that’s not the way it works.

Pop up on the Amazon website stating that the Tuck Video Doorbell is "Amazon's Choice" and represents "highly rated, well-priced products..." — Over the past few months, the Eken and Tuck video doorbells listed on Amazon have often carried “Amazon’s Choice: Overall Pick" badges.

Like more than 6 out of every 10 items sold on Amazon, Eken’s products are posted by an independent company, with Amazon generally handling services such as warehouse services, shipping, and returns. Anyone can sell nearly anything on Amazon, and the company earned roughly $140 billion in revenue from third-party sellers in 2023.

That allows shoppers to find a vast array of products, but it can also make it hard to know just what you’re buying, and who’s selling it.

All 10 of the doorbell brands, as well as the Aiwit app, appeared to be owned by an 18-year-old company called Eken Group Ltd., based in Shenzhen, China. The company also has an office in Southern California run out of an apartment in Temple City.

(Eken didn’t respond to CR’s questions about its video doorbells before publication. After publication, the company told CR that it manufactures video doorbells under its own brand, and also manufactures white-label doorbells for separately owned brands.)

For many Chinese tech companies, selling cheap hardware under multiple brand names can increase sales in a product category that’s very popular—until it isn’t, according to Andrew Huang, a prominent engineer and software expert who goes by the name Bunnie and is the author of “The Essential Guide to Electronics in Shenzhen.” At that point, Huang says, the company will switch products, moving on to the next big thing.

“For the security camera market, a brand is just a brand—think of it more like a marketing agency that can do a bit of injection molding and package design to create a look and feel, but they don’t do much beyond that,” he says. “They don’t hold a lot of inventory, and they flit in and out of existence, surfing the trends of commodity markets.”

To create their products, such companies can take a reference design from a chip company that makes the brains inside electronic devices, buy the relevant electronics from neighboring factories, manufacture a cheap plastic case, and then assemble the final product.

Huang says some Chinese companies can put together a new electronic device in as little as two weeks.

However, that kind of fast, cheap product development doesn’t lend itself to cybersecurity, according to Steve Hanna, who is responsible for IoT security strategy and technology at Infineon Technologies, a semiconductor company.

“It’s always the case that building a more secure product costs more,” he says, but for many low-cost IoT companies there is little economic incentive to include security because it is invisible to most consumers.

If such products haven’t been vetted by Amazon, why are they receiving Amazon’s Choice badges? According to a company FAQ, the designation is based on a product’s “ratings, price, popularity, product availability and fast delivery.” They are generated dynamically by an algorithm and can suddenly pop up, then disappear just as quickly.

Doorbell footage of Jessica entering her house. — These doorbell cameras make it very easy to see who comes and goes from your home, and when.

What Consumers Can Do

If you own one of these doorbells, Consumer Reports recommends that you disconnect it from your home WiFi and remove it from your door. CR has evaluated video doorbells with much better security from brands including Logitech, SimpliSafe, and Ring—which is actually owned by Amazon.

More broadly, don’t assume that large online retail platforms have evaluated the safety of all the products they sell. Federal agencies and journalists have reported a variety of dangerous or illegal products for sale on Amazon over the years.

If you bought flawed items from a local store, it might be liable for damages or fines, but in previous legal proceedings Amazon has claimed that it’s not responsible for items sold by third parties on its platform, because for those sellers it’s just acting as a logistics company. The Consumer Product Safety Commission disagrees and has tussled with Amazon over this issue in the past. It is considering an order that would officially classify the marketplace as a “distributor of goods” with the responsibilities of conventional retailers, according to reporting in The Wall Street Journal. If such an order goes through, similar rulings could affect other online marketplaces.

Meanwhile, Consumer Reports is asking online retailers to take steps to guarantee the quality of the products available on their platforms. CR has also advocated for legislation to make online platforms strictly liable for selling defective products, and pushed for laws that make it clear that retailers need to take reasonable steps to keep harmful, fraudulent, or insecure products off their platforms.

And we shared our findings about video doorbells with the Federal Trade Commission, which has the power to remove products like these from the marketplace. The agency declined to comment on what action it might take, noting that its investigations are private. (After publication, FCC Commissioner Geoffrey Starks sent letters to the retailers cited in this article asking what steps they take to ensure that products they sell conform to FCC regulations.)

"Regulators need to be doing more to address the torrent of junk that’s out there,” says CR’s Brookman. “That means going after the manufacturers, but also the platforms that sell them—and apparently even explicitly recommend them."

View this post on Instagram

A post shared by Consumer Reports (@consumerreports)

Stacey Higginbotham

Stacey Higginbotham has been writing about technology for 20 years. Her articles have appeared in publications including Fortune, PCMag, and MIT Technology Review. She was also the founder and co-host of "The Internet of Things Podcast" and is a policy fellow with Consumer Reports working on security for connected devices and right to repair laws.

Daniel Wroclawski

Dan Wroclawski is a home and appliances writer at Consumer Reports, covering products ranging from refrigerators and coffee makers to cutting-edge smart home devices. Before joining CR in 2017, he was an editor at USA Today’s Reviewed, and launched the site’s smart home section. In his spare time, you can find him tinkering with one of the over 70 connected devices in his house. Follow Dan on Facebook and Twitter @danwroc.