Exclusive: Senator Rubio Calls for FCC Investigation of Vulnerable "Amazon's Choice" PRC China Doorbell Cameras

CH
Conor Healy
Published Mar 08, 2024 16:14 PM
PUBLIC - This article does not require an IPVM subscription. Feel free to share.

Senator Marco Rubio (R-FL) is calling on the FCC to investigate PRC-made doorbell cameras after researchers identified serious security flaws, including successfully hacking them from thousands of miles away. The cameras are sold under several different brands by Amazon, Walmart, and others.

IPVM Image

In this report, we examine Senator Rubio's letter to the FCC, obtained exclusively by IPVM, the security flaws discovered in these cameras, and the problem of insecure PRC-made surveillance technology.

Consumer Reports: Popular Video Doorbells Easily Hacked, Hijacked

On February 29, 2024, Consumer Reports published an evaluation that uncovered several serious security flaws in Eken-manufactured video doorbells, also sold as Tuck, Fishbot, Rakeblue, Andoe, Gemee, Luckwolf, and more, all controlled using the same Eken app "Aiwit."

Consumer Reports found that, with physical access, anyone can pair with and hijack the devices and obtain their serial numbers. While users take back control by re-pairing them, just with the serial number, a hacker can now remotely access still images from the cameras undetected without even creating an Eken account.

The researchers also gained remote access to the doorbells, which transmit data unencrypted, describing how a test engineer hacked a colleague's doorbell and took pictures of her from 2,923 miles away.

Consumer Reports also discovered that the devices did not display Federal Communications Commission (FCC) IDs. Most electronic devices sold in the US require an FCC ID, without which they are illegal to sell or even import into the US.

Senator Rubio Calls on FCC to Investigate

Consumer Reports' findings prompted Senator Marco Rubio (R-FL) to call for an investigation in a March 7, 2024, letter to FCC Chair Jessica Rosenworcel, which IPVM exclusively obtained:

Industry insights delivered to your inbox weekly.

Sign up to get notified of new reports, investigations, research and more.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

IPVM Image

Senator Rubio, who serves as Vice-Chair of the Senate Select Committee on Intelligence (SSCI), has for years prominently advocated stronger protections for Americans against cyber and national security threats posed by PRC-made technology.

In the letter, Senator Rubio calls for an investigation of the allegations against Eken. The security flaws, including the "appalling" lack of data encryption, make them "unsafe" and may be exploited by "criminals, stalkers, and even foreign intelligence operatives."

Eken devices are not only unsafe—they may be illegal…. I urge you to investigate these serious allegations against Eken...

Eken fails to encrypt any data transmitted from the doorbell to the app via the internet. This appalling security flaw exposes users’ home internet protocol (IP) addresses and WiFi network names. Criminals, stalkers, and even foreign intelligence operatives can easily exploit this vulnerability to monitor the comings and goings of individuals from a home.

"Hold Retailers Accountable" - Eken Still Available on Amazon, Walmart, Others

Beyond investigating Eken itself, Senator Rubio urged the FCC to "if necessary, hold retailers accountable for selling potentially illegal products that jeopardize the privacy and security of Americans."

As Senator Rubio and Consumer Reports also noted, IPVM found Eken video doorbells remain available on Amazon, Walmart, and Sears as of the publication of this article. On Amazon, the manufacturer's store page is still active:

IPVM Image

Retailers like Amazon and Walmart exacerbate the problem with manufacturers like Eken by selling devices they know little about and cannot stand behind. They not only escape accountability when those devices have serious security flaws, they often do little or nothing about it, as in this case so far. Amazon even endorsed Eken products with "Amazon's Choice," and "Overall Pick" badges, according to Consumer Reports.

As Senator Rubio states in his letter, these devices are "the latest in a long line of Chinese products that are dumped on our shores with no regard for our laws or the safety of our people," while Consumer Reports wrote, "they're just a drop in the flood of cheap, insecure electronics from Chinese manufacturers being sold in the U.S."

It is difficult to influence PRC-based corporations to change their practices; Eken refused to respond to inquiries from Consumer Reports, who hoped "to warn them of the problems, hoping to have the issues fixed before reporting on them publicly."

However, it is ultimately American retailers/distributors like Amazon and Walmart that facilitate access to US markets for companies like Eken, and they can play a major role in solving the problem by quickly removing bad actors, and proactively intercepting unsafe products.

Highlights Problem of OEMs in Video Surveillance

The concerns raised by Consumer Reports and Senator Rubio highlight the problem of OEMing in the video surveillance industry, which IPVM has reported on extensively. Manufacturers like Hikvision can be sold under dozens of different brands.

With no disclosure of the true manufacturer, buyers cannot assess security concerns associated with their products. It also impedes regulatory agencies, like the FCC, and researchers like Consumer Reports, from assessing the scope of security vulnerabilities and alerting affected users, and sellers often fail to take accountability.

Consumer Reports found "at least 10 more seemingly identical video doorbells being sold under a range of brand names" and "found the same vulnerabilities."

Consumer Reports Petition to the FTC

Senator Rubio wrote to the FCC because it is "the primary regulatory body for telecommunications," and likely given the FCC ID issue here. However, Consumer Reports also encouraged readers to sign a petition to the Federal Trade Commission, which is relevant here given its role in consumer protection and some cybersecurity regulation.

IPVM Image

Update 02/08/24: FCC Commissioner Geoffrey Starks sent letters to five unspecified online marketplaces selling these devices to "identify ways to stop the unlawful sale of insecure IoT devices that violate FCC equipment authorization requirements," according to an FCC announcement.

IPVM Image

As discussed above, online sellers often do little to deal with insecure or, as in this case, potentially illegal products. But can often be exempt from any consequences for what manufacturers say about their products, or any risks from what they deliver. A lack of legal authority to compel action may be why Commissioner Starks phrases this as a request to work together with the marketplaces:

Working together, we must find better ways to stop risky and unlawful products from entering the commerce stream – and from seeing their sales irresponsibly boosted when they are listed online.

Comments are shown for subscribers only. Login or Join