Eken patches doorbell camera flaws after Consumer Reports hack

When Eken Group rolled out its low‑cost video doorbell cameras, few expected they would become a headline‑making security nightmare, but Consumer Reports blew the whistle in late February 2024.

In a press release issued from the agency’s Media Room in Washington, DC, the nonprofit disclosed that the devices – sold under names like Eken, Tuck, Fishbot, Rakeblue, Andoe, Gemee and Luckwolf on sites such as Amazon, Walmart, Sears, Shein and Temu – suffered a serious design flaw: anyone with the serial number could remotely hijack the camera, see live video and even pull the homeowner’s IP address.

The proof came from Steve Blair, a privacy and security test engineer at Consumer Reports. Blair demonstrated the breach by logging into a Yonkers, New York doorbell from 2,923 miles away, sending a grainy snapshot of his own waving hand back to a Consumer Reports journalist. The simplicity of the exploit – no fancy tools, just the serial number – turned what should have been a safety device into a potential surveillance gateway.

Why the flaw mattered

At its core, the security vulnerabilities exposed two layers of risk. First, a malicious actor could watch a family’s front‑door activity in real time, learning when occupants arrived or left. Second, the camera’s firmware leaked the home’s Wi‑Fi network name (SSID) and broadband IP address, information that can be weaponized for broader attacks on the home network.

Because the cameras were marketed as “smart” security upgrades, many buyers assumed a baseline of protection. The reality – a single serial‑number lookup could grant full control – shattered that trust and sparked a wave of consumer anxiety across the United States.

Regulatory red flags and FCC involvement

Beyond privacy concerns, the devices lacked the mandatory FCC identification label on both packaging and the plastic housing. That omission, according to the Federal Communications Commission, rendered the cameras illegal for sale in the U.S. market.

Geoffrey Starks, an FCC commissioner, sent formal letters in March 2024 to the five retailers named in the report, demanding explanations for why the non‑compliant products were still on their shelves and how they intended to enforce security standards. The letters gave the retailers until March 22 to reply – a deadline that, to date, remains murky.

Eken’s technical response

Within weeks of the Consumer Reports findings, Eken’s engineering team met directly with the nonprofit’s test engineers. The outcome was a firmware rollout – version 2.4.1 or higher – that patched the serial‑number backdoor, encrypted data transmissions, and added the missing FCC label in the device’s electronic manual accessible through the Aiwit app.

Consumer Reports retested a sample batch after the update and lifted its “Don’t Buy” warning. The organization noted that the patched firmware closed the loophole completely, restoring confidence for owners who chose to keep the hardware.

Financial repercussions

In November 2024, the FCC moved from warning to enforcement, proposing a fine of $734,872 against Eken Group. The proposed penalty stemmed directly from the earlier investigation, citing both the privacy breach and the failure to provide proper FCC identification.

The fine, while sizable for a mid‑size Hong Kong manufacturer, also signals a broader regulatory shift: budget‑priced smart‑home devices are no longer safe havens for lax security practices.

Industry ripple effects

• Major online marketplaces have begun tightening their vetting processes for IoT products, demanding proof of FCC compliance before listing.
• Competitors in the low‑cost doorbell segment announced independent security audits, hoping to avoid similar fallout.
• Consumer advocacy groups are calling for a federal “smart‑home security standard” that would require third‑party penetration testing before devices reach consumers.

Retailers such as Amazon and Walmart quietly removed the flagged models – the Eken Smart Video Doorbell and the Tuck Sharkpop Doorbell Camera – from their storefronts shortly after the report’s release. However, the episode has left many consumers wary of buying inexpensive smart‑home gear without clear security assurances.

What owners should do now

If you own any of the affected doorbell cameras, the first step is to verify the firmware version. Open the Aiwit app, navigate to Settings → Device Info, and confirm the version reads 2.4.1 or later. If the update hasn’t been applied, follow the in‑app prompts to download it immediately.

For those who’ve already discarded the devices, consider recycling them through an e‑waste program rather than throwing them in the trash – the hardware still contains components that could be repurposed safely.

Looking ahead

The Eken episode may become a textbook case for how consumer‑led testing can force manufacturers and regulators to act. As smart‑home ecosystems grow, the balance between convenience and privacy will keep tightening. Future congressional hearings are expected to address IoT security, and lawmakers may draft legislation that mandates “security‑by‑design” for any device that connects to the internet.

For now, the most practical takeaway is simple: treat any connected device as a potential entry point, keep firmware up to date, and stay informed about the companies behind the gadgets you bring into your home.