Eken Electronics

3 views

Skip to first unread message

Alacoque Whitchurch

unread,

Aug 3, 2024, 12:04:46 PM8/3/24

to downcurbdengio

Eken has recently upgraded its firmware to version 2.4.1 or higher. We believe this update significantly enhances the security of data transmission. For more information, please contact us at suppo...@eken.com.

Senator Marco Rubio (R-FL) is calling on the FCC to investigate PRC-made doorbell cameras after researchers identified serious security flaws, including successfully hacking them from thousands of miles away. The cameras are sold under several different brands by Amazon, Walmart, and others.

In this report, we examine Senator Rubio's letter to the FCC, obtained exclusively by IPVM, the security flaws discovered in these cameras, and the problem of insecure PRC-made surveillance technology.

On February 29, 2024, Consumer Reports published an evaluation that uncovered several serious security flaws in Eken-manufactured video doorbells, also sold as Tuck, Fishbot, Rakeblue, Andoe, Gemee, Luckwolf, and more, all controlled using the same Eken app "Aiwit."

Consumer Reports found that, with physical access, anyone can pair with and hijack the devices and obtain their serial numbers. While users take back control by re-pairing them, just with the serial number, a hacker can now remotely access still images from the cameras undetected without even creating an Eken account.

The researchers also gained remote access to the doorbells, which transmit data unencrypted, describing how a test engineer hacked a colleague's doorbell and took pictures of her from 2,923 miles away.

Consumer Reports also discovered that the devices did not display Federal Communications Commission (FCC) IDs. Most electronic devices sold in the US require an FCC ID, without which they are illegal to sell or even import into the US.

Senator Rubio, who serves as Vice-Chair of the Senate Select Committee on Intelligence (SSCI), has for years prominently advocated stronger protections for Americans against cyber and national security threats posed by PRC-made technology.

In the letter, Senator Rubio calls for an investigation of the allegations against Eken. The security flaws, including the "appalling" lack of data encryption, make them "unsafe" and may be exploited by "criminals, stalkers, and even foreign intelligence operatives."

Beyond investigating Eken itself, Senator Rubio urged the FCC to "if necessary, hold retailers accountable for selling potentially illegal products that jeopardize the privacy and security of Americans."

As Senator Rubio and Consumer Reports also noted, IPVM found Eken video doorbells remain available on Amazon, Walmart, and Sears as of the publication of this article. On Amazon, the manufacturer's store page is still active:

Retailers like Amazon and Walmart exacerbate the problem with manufacturers like Eken by selling devices they know little about and cannot stand behind. They not only escape accountability when those devices have serious security flaws, they often do little or nothing about it, as in this case so far. Amazon even endorsed Eken products with "Amazon's Choice," and "Overall Pick" badges, according to Consumer Reports.

As Senator Rubio states in his letter, these devices are "the latest in a long line of Chinese products that are dumped on our shores with no regard for our laws or the safety of our people," while Consumer Reports wrote, "they're just a drop in the flood of cheap, insecure electronics from Chinese manufacturers being sold in the U.S."

It is difficult to influence PRC-based corporations to change their practices; Eken refused to respond to inquiries from Consumer Reports, who hoped "to warn them of the problems, hoping to have the issues fixed before reporting on them publicly."

However, it is ultimately American retailers/distributors like Amazon and Walmart that facilitate access to US markets for companies like Eken, and they can play a major role in solving the problem by quickly removing bad actors, and proactively intercepting unsafe products.

The concerns raised by Consumer Reports and Senator Rubio highlight the problem of OEMing in the video surveillance industry, which IPVM has reported on extensively. Manufacturers like Hikvision can be sold under dozens of different brands.

With no disclosure of the true manufacturer, buyers cannot assess security concerns associated with their products. It also impedes regulatory agencies, like the FCC, and researchers like Consumer Reports, from assessing the scope of security vulnerabilities and alerting affected users, and sellers often fail to take accountability.

Senator Rubio wrote to the FCC because it is "the primary regulatory body for telecommunications," and likely given the FCC ID issue here. However, Consumer Reports also encouraged readers to sign a petition to the Federal Trade Commission, which is relevant here given its role in consumer protection and some cybersecurity regulation.

Update 02/08/24: FCC Commissioner Geoffrey Starks sent letters to five unspecified online marketplaces selling these devices to "identify ways to stop the unlawful sale of insecure IoT devices that violate FCC equipment authorization requirements," according to an FCC announcement.

As discussed above, online sellers often do little to deal with insecure or, as in this case, potentially illegal products. But can often be exempt from any consequences for what manufacturers say about their products, or any risks from what they deliver. A lack of legal authority to compel action may be why Commissioner Starks phrases this as a request to work together with the marketplaces:

If the message came from a complete stranger, it would have been alarming. Instead, it was sent by Steve Blair, a CR privacy and security test engineer who had hacked into the doorbell from 2,923 miles away.

The two devices stood out not just because of the security problems but also because they appeared to be identical, right down to the plain white box they came in, despite having different brand names. Online searches quickly revealed at least 10 more seemingly identical video doorbells being sold under a range of brand names, all controlled through the same mobile app, called Aiwit, which is owned by Eken.

First, these doorbells expose your home IP address and WiFi network name to the internet without encryption, potentially opening your home network to online criminals. Security experts worry there could be more problems, including poor security on the company servers where videos are being stored.

When the stalker pairs the device to his phone, the original owner will get an email saying she no longer has access to the device. That might seem like a small technological glitch she can solve by simply re-pairing the device with her own phone, taking back control.

In our scenario, the dangerous actor will continue to see time-stamped photos of everyone who comes and goes. And if he chooses to share that serial number with other individuals, or even post it online, all those people will be able to monitor the images, too.

We also found these doorbells for sale at walmart.com, sears.com, and on the global marketplaces Shein and Temu. And seemingly identical video doorbells are available from even more brands. Walmart.com, for example, is selling them under the names Andoe, Gemee, and Luckwolf.

We found FCC records online for some of the devices, including Eken-branded doorbells, which means those doorbells were tested. However, without visible IDs, they are illegal to sell in the U.S., according to published FCC rules. The agency did not comment directly on our findings. (After publication, Eken notified CR that it would be adding the IDs to its products so that "the FCC ID will be properly reflected in the new packaging of the products.")

Amazon provides a link on every product listing to alert the company to problematic items. We used the link to report the missing FCC ID for the Tuck video doorbell, but days later, it was still available.

All 10 of the doorbell brands, as well as the Aiwit app, appeared to be owned by an 18-year-old company called Eken Group Ltd., based in Shenzhen, China. The company also has an office in Southern California run out of an apartment in Temple City.

To create their products, such companies can take a reference design from a chip company that makes the brains inside electronic devices, buy the relevant electronics from neighboring factories, manufacture a cheap plastic case, and then assemble the final product.

Meanwhile, Consumer Reports is asking online retailers to take steps to guarantee the quality of the products available on their platforms. CR has also advocated for legislation to make online platforms strictly liable for selling defective products, and pushed for laws that make it clear that retailers need to take reasonable steps to keep harmful, fraudulent, or insecure products off their platforms.

And we shared our findings about video doorbells with the Federal Trade Commission, which has the power to remove products like these from the marketplace. The agency declined to comment on what action it might take, noting that its investigations are private. (After publication, FCC Commissioner Geoffrey Starks sent letters to the retailers cited in this article asking what steps they take to ensure that products they sell conform to FCC regulations.)