Source: securityboulevard.com – Author: Richi Jennings
Amazon, Sears and Shein still sell security swerving stuff.
Cheap Chinese doorbell cameras aren’t always super-secure, say researchers. I know, I know—huge shock, right? But it’s good that mainstream consumer media is banging the drum so normies might get the message.
Unfortunately, some retailers aren’t listening. In today’s SB Blogwatch, we look into it.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: The Last Starfighter.
EKEN IoT FAIL
What’s the craic? Lorenzo Franceschi-Bicchierai reports—“Popular video doorbells can be easily hijacked”:
“Marketplaces cannot be trusted”
Several internet-connected doorbell cameras have a security flaw that allows hackers to take over the camera by just holding down a button, among other issues. … EKEN, a company based in Shenzhen, China, … makes cameras branded as EKEN … Tuck and other brands. These relatively cheap doorbell cameras were available on online marketplaces like Walmart and Temu. [They] remain available for sale on Amazon, Sears and Shein.
…
If someone is in close proximity to an EKEN doorbell camera, they can take “full control” of it by simply downloading its official app [and] holding down the doorbell’s button for eight seconds. … The doorbells broadcast the owners’ IP addresses [and] the unencrypted name of the local Wi-Fi network … over the internet. [And] they broadcast still images captured by the cameras, which can be intercepted and seen by anyone without needing a password.
…
This research shows … consumers have no way to know whether internet-connected smart devices … have the appropriate privacy and security measures in place. And, that online marketplaces cannot be trusted to vet what they sell.
Are you surprised? Mariella Moon isn’t—“Surprise, this $30 video doorbell has serious security issues”:
“Dangerous exes”
Amazon, which has even given some of their listings the Amazon Choice badge, [lists them] under the brands Eken, Tuck, Fishbot, Rakeblue, Andoe, Gemee and Luckwolf, among others. [I] found them on … Alibaba and … Lazada, as well.
…
Based on the ratings these doorbells … got on Amazon, the platform has sold thousands to people who were probably expecting the devices to be able to provide some form of security for their homes. Instead, the devices pose a threat to their safety and privacy. The doorbells could even put people’s well-being and lives at risk if, say, they have stalkers or are domestic violence victims with dangerous exes.
Horse’s mouth? Stacey Higginbotham, with Daniel Wroclawski—“These Video Doorbells Have Terrible Security”: [That’s the most “Captain Obvious” headline, ever—Ed.]
“Disconnect it”
Steve Blair, a [Consumer Reports] privacy and security test engineer who had hacked into [my] doorbell from 2,923 miles away … was able to capture those images because he and fellow test engineer David Della Rocca had found serious security flaws in [it]. The security issues are serious. [They] could allow a dangerous person to take control of the video doorbell on their target’s home, watching when they and their family members come and go.
…
The doorbells also lack a visible ID issued by the [FCC], making them illegal. … Thousands of these video doorbells are sold each month [but] they’re just a drop in the flood of cheap, insecure electronics from Chinese manufacturers. … Amazon, Sears, and Shein didn’t respond.
…
If you own one of these doorbells, … disconnect it from your home WiFi and remove it from your door.
And replace it with a “name brand”? Not a panacea, according to balthazarr:
The problem [is] many “name brand” products have had security issues (perhaps not as egregious as these), and limited firmware updates to patch vulnerabilities found after support has ended. There needs to be regulation in the IoT space. It’s past time.
Certainly can happen to anyone. u/Stevesan***hole agrees:
Even sticking with known brands has its downsides — just look at Wyze’s recent issues with an outage and people seeing others’ camera feeds. Heck, even look at Eufy (Anker) before that and their controversy.
The best thing you can do is roll your own self-hosted home automation and security. Unfortunately that comes with a much higher cost in most cases.
It’s another example of Cory Doctorow’s doctrine of en****tification. RyHerbs widens the context:
More broadly, the “Amazon’s Choice” label has become an absolute joke … (recommending terrible or unsafe products being the main [reason]). And Amazon itself seems to be hurdling toward becoming just another TEMU or Wish clone, which sucks. Just about the only benefit of having a Prime account these days is the fast, “free” delivery.
What a mess. RitchCraft lays it on the line:
It’s one thing to purchase products made in China for other companies (looking at you Apple), but you are just asking for it if you purchase Chinese products made in China for the Chinese market. Chinese manufacturers don’t give a **** about security, because it’s not in their interest to do so.
I’m sure the CCP either rewards or mandates Chinese companies to keep this piss poor level of security. Stop buying Chinese **** that has anything to do with security. It’s the same thing as asking a thief to guard the valuables in your home.
How does this happen? nimble brings us this PSA:
Ah, the regular reminder that the S in IoT stands for security.
We’re our own worst enemies. So says foremi:
Companies will take our privacy seriously when we take our privacy seriously. Currently, people willing give out all of their most private information with no regard. The largest companies in the world rely and profit from it.
Meanwhile, billybob2001 feels a touch of déjà vu:
I thought this story rang a bell.
And Finally:
CW: A few mild swears, a young Wil Wheaton, pr0n addiction.
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi, @richij or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.
Image sauce: Severin Demchuk (via Unsplash; leveled and cropped)
Recent Articles By Author
Original Post URL: https://securityboulevard.com/2024/03/video-doorbell-eken-richixbw/
Category & Tags: API Security,Application Security,AppSec,Cloud Security,Cyberlaw,Cybersecurity,Data Privacy,Data Security,Deep Fake and Other Social Engineering Tactics,Editorial Calendar,Endpoint,Featured,Governance, Risk & Compliance,Humor,Identity & Access,Identity and Access Management,Incident Response,Industry Spotlight,Insider Threats,IOT,IoT & ICS Security,Mobile Security,Most Read This Week,Network Security,News,Popular Post,Regulatory Compliance,Securing the Cloud,Securing the Edge,Security at the Edge,Security Awareness,Security Boulevard (Original),Security Challenges and Opportunities of Remote Work,Social – Facebook,Social – LinkedIn,Social – X,Social Engineering,Software Supply Chain Security,Spotlight,Threats & Breaches,Vulnerabilities,Zero-Trust,Andoe,Anker,camera,camera hijacking,camera vulnerability,cameras,CCTV camera,CCTV cameras,Consumer IoT,Consumer Reports,Doorbell Camera,Eken,enshittification,Eufy,Fishbot,Gemee,hacked Wi-FI,Internet of things,Internet of Things (IoT),Internet of Things (IoT) Security,Internet of Things cyber security,internet-enabled cameras,iot,IoT camera,IoT security camera,IP surveillance cameras,ipcamera,Luckwolf,Rakeblue,Ring Camera,Ring Doorbell,safe wifi,SB Blogwatch,Sears,SHEIN,The ‘S’ in IoT stands for Security,Tuck,unsecure Wi-FI,Wi-Fi,Wi-Fi hacking,Wi-Fi networks,wi-fi security,Wyze – API Security,Application Security,AppSec,Cloud Security,Cyberlaw,Cybersecurity,Data Privacy,Data Security,Deep Fake and Other Social Engineering Tactics,Editorial Calendar,Endpoint,Featured,Governance, Risk & Compliance,Humor,Identity & Access,Identity and Access Management,Incident Response,Industry Spotlight,Insider Threats,IOT,IoT & ICS Security,Mobile Security,Most Read This Week,Network Security,News,Popular Post,Regulatory Compliance,Securing the Cloud,Securing the Edge,Security at the Edge,Security Awareness,Security Boulevard (Original),Security Challenges and Opportunities of Remote Work,Social – Facebook,Social – LinkedIn,Social – X,Social Engineering,Software Supply Chain Security,Spotlight,Threats & Breaches,Vulnerabilities,Zero-Trust,Andoe,Anker,camera,camera hijacking,camera vulnerability,cameras,CCTV camera,CCTV cameras,Consumer IoT,Consumer Reports,Doorbell Camera,Eken,enshittification,Eufy,Fishbot,Gemee,hacked Wi-FI,Internet of things,Internet of Things (IoT),Internet of Things (IoT) Security,Internet of Things cyber security,internet-enabled cameras,iot,IoT camera,IoT security camera,IP surveillance cameras,ipcamera,Luckwolf,Rakeblue,Ring Camera,Ring Doorbell,safe wifi,SB Blogwatch,Sears,SHEIN,The ‘S’ in IoT stands for Security,Tuck,unsecure Wi-FI,Wi-Fi,Wi-Fi hacking,Wi-Fi networks,wi-fi security,Wyze
Views: 0
