Anyone on the Internet Can Ring Your Doorbell
4 days ago
- #Smart Doorbell Vulnerabilities
- #IoT Security
- #Responsible Disclosure
- A smart doorbell purchased from Temu, the 'Smart Doorbell X3', was found to have severe security vulnerabilities allowing unauthorized access and control.
- An attacker can silently steal any of these doorbells from the owner's account with just two signed POST requests, making the device disappear from the original owner's app without any indication.
- The device's persistent relay password can be obtained with a single signed request containing the device ID, enabling attackers to impersonate the doorbell during live calls with custom video and audio.
- Wi-Fi credentials, including SSID, PSK, and session keys, are leaked via the UART debug console during boot, which is accessible with physical access using only a screwdriver.
- The device IDs are sequential and predictable (format: 1e2023XXXXXX), making the entire fleet enumerable and susceptible to automated attacks.
- The alert system allows anyone on the internet to ring an owner's phone with a custom image via a forged signed request, as there is no authentication beyond a weak signature.
- Call setup and media streams are unencrypted, exposing credentials and live video/audio to anyone on the network path.
- The firmware uses a hardcoded, static 'secret' for request signatures, identical across all devices, allowing easy forging of valid requests.
- Over-the-air (OTA) updates are broken due to a missing download partition, meaning devices in the field cannot receive security fixes.
- The vendor, Naxclow (Guangzhou Qiangui IoT Technology Co., Ltd.), was contacted but did not respond, leading to public disclosure after one week.