Some doorbell cameras which many people buy to bring themselves a higher sense of security are actually not very secure themselves, according to a Consumer Reports investigation.
The report, published Thursday by the product review organization, found a number of these video doorbells have serious vulnerabilities that allow outside users to hack into them, providing bad actors access to the camera's footage or even the ability to completely control the device.
The researchers found these flaws in at least a dozen seemingly identical doorbells sold under different brand names including EKEN, Tuck, Fishbot and Rakeblue. However, they are all made by the same Chinese manufacturer, EKEN, and controlled through the same EKEN-operated mobile app, Await, the report found.
While they're not the biggest names in the market, thousands of these cameras are sold in the U.S. each month through various online retailers like Amazon, Walmart, Sears, Shein and Temu, which removed all EKEN doorbells from its website after CR shared its findings. Walmart said the items have been removed from its website and will offer refunds for customers who want to return the products.
On Amazon, the cameras are an "Amazon's Choice: Overall Pick," with 11 EKEN doorbell listings generating more than 4,200 sales in January alone, CR found.
"Big e-commerce platforms like Amazon need to take more responsibility for the harms generated by the products they sell," said Justin Brookman, director of technology policy for CR. "There is more they could be doing to vet sellers and respond to complaints. Instead, it seems like they're coasting on their reputation and saddling unknowing consumers with broken products."
The CR team said the EKEN doorbells can expose your home IP address and WiFi network names without encryption, possibly opening your home network to malicious users.
Amazon's Ring announces big change, and customers are not happy
The security company says prices for its Ring Protect Basic will grow 25% for U.S. customers and 43% for those in the U.K.
But beyond web hacking, CR says anyone who is in close physical proximity to the doorbell can hack it too just by creating an account on the Await app and pressing the device's button to put it in pairing mode. The bad actor could then pair their phone to make themselves the new "owner" of the camera, giving them the ability to watch current and previous images as well as lock out the true owner of the camera, CR found.
The true owner will get an email alert that the app has switched to a new device, but even after retaking control, the dangerous person could still remotely access the device using its serial number, the report says.
Researchers also found the doorbells lack a visible Federal Communications Commission-issued ID number, which would allow consumers to look up a product to ensure its safety. The ID number is required by agency regulations, meaning the devices would be illegal to distribute in the U.S. without having them visibility printed.
"Regulators need to be doing more to address the torrent of junk that's out there," Brookman said. "That means going after the manufacturers, but also the platforms that sell them — and apparently even explicitly recommend them."
If you do own one of these devices, CR recommends disconnecting it from your home WiFi and removing it from your door. The group said it's also asked online retailers to better guarantee the safety of their products while it pushes for federal action.
EKEN, Amazon, Sears and Shein didn't respond to CR's requests for comment.