The Spy Within

Internet of Things (IoT) devices do not exactly have a good reputation for implementing appropriate security measures, but some cases are far worse than others. We have all seen the headlines highlighting the vulnerabilities and data breaches that have plagued IoT ecosystems in recent years. These incidents emphasize the broader challenges surrounding IoT security and the need for a more comprehensive approach to mitigating risks in connected environments.

But that does not mean that device manufacturers are all taking these lessons to heart. In one particularly alarming example, Consumer Reports recently called out some cheap video doorbell systems with virtually non-existent security. The devices are sold by brand names that no one has ever heard of, like Eken, Tuck, Fishbot, and Rakeblue. But while they are sold under many — perhaps more than a dozen — names, the devices, including the packaging and companion app, are all identical, indicating that they all originate from the same Chinese manufacturer.

Despite the lack of brand recognition, these devices are sold by the thousands each month through major retailers like Amazon, Walmart, Sears, and Temu (some retailers may have stopped selling the cameras since the exploit was revealed, however). Given that these doorbell cameras sell for under $30 in some cases, and have impressive features and thousands of glowing reviews, that is not entirely surprising.

But when looking beneath the surface, you might find that you get what you pay for when you buy a cheap IoT device. In this particular case, you might not even get that. It was found that these cameras transmit sensitive information over the Internet with no encryption. That includes information like your IP address and WiFi network name — but worst of all, it also transmits unencrypted images captured by its camera.

To take over a camera, an attacker initially needs physical access to the device. By simply pressing a button, the camera is put into a Bluetooth pairing mode, which allows anyone with the companion smartphone app to take ownership. Doing this will cause the original owner to get an email alerting them to the change, which allows them to take ownership back.

However, after taking ownership, if even for a brief time, the attacker will have access to the device’s unique identifier, and that is where things get really bad. With this information, still images can be remotely retrieved from the camera. No password, encryption, or other security measures stand in the way. Furthermore, the owner of the camera will not be notified that this is happening, leaving them completely unaware that they are being spied on.

The companion app, called Aiwit, has been downloaded more than a million times from the Google Play Store, so this appears to be a significant security concern for many individuals. Unfortunately, these concerns may not be addressed any time soon, if ever. As of this writing, Eken had not responded to Consumer Reports’ questions about the device’s lack of security.