I picked up a no-name smart doorbell from Temu, the kind that sells for $12 and ships under a dozen rebrands. I wanted to know if the security was as cheap as the hardware. It was worse.
The device talks to a backend run by Guangzhou Qiangui IoT (Naxclow brand). Every API request carries a "signature" that looks like authentication. It is not. The signing secret is a hardcoded alphanumeric string baked into every firmware image. Pull it out once and you can forge requests for any of these doorbells, anywhere.
From there, two signed requests reassign ownership of any doorbell to an attacker. The victim's app silently drops the device while it stays online. One more request returns the doorbell's relay password in plaintext, and that password never rotates, not even after a factory reset. With the password, you can impersonate the doorbell during a live call and stream attacker-chosen video to the homeowner.
The full writeup walks through the firmware extraction, the API reverse engineering, and the live-call hijack proof of concept. There is also a short list of things cheap-IoT vendors keep getting wrong, and a few pointers for owners who want to keep using the device safely (short version: VLAN your IoT).
Originally published on https://www.abgeo.dev/blog/anyone-can-ring-your-doorbell/.
Top comments (0)