Fatal Vulnerability Found in $12 Smart Doorbell—Accounts Can Be Hijacked and Calls Intercepted
A severe security flaw has been discovered in a $12 smart doorbell sold on Temu, allowing attackers to hijack accounts and fake video calls to owners.
Severe Security Flaw Lurking in Low-Cost Smart Doorbell
A critical security vulnerability has been uncovered in the $12 “Smart Doorbell X3” sold on Temu, which allows attackers to completely hijack the owner’s account and send fake video calls to the device owner. This issue, revealed through an investigation by security researchers, stems not from the individual device itself but from the design of the backend platform the device connects to.
What Attackers Can Do: Account Hijacking and Call Interception
According to a blog post from researchers, exploiting this vulnerability enables anyone on the internet to perform the following actions:
- Silent Device Takeover from the Account: Attackers could simply create a free account on the platform, disconnect the target doorbell from its legitimate owner’s account, and take control of it. As a result, any calls made by the doorbell would no longer be routed to the owner’s phone but instead to the attacker’s.
- Sending Fake Video Calls to the Owner: Additionally, attackers could impersonate the device and initiate new calls displaying arbitrary video content on the owner’s phone. This attack required no special permissions, and the legitimate doorbell would remain online without detecting the intrusion.
In effect, users who paid $12 for the device unwittingly created a situation where anyone on the internet could ring their doorbell. Moreover, researchers also found a method to steal home Wi-Fi passwords through the device’s debug port.
Root Cause: Platform Design, Not Individual Device
Experts point out that the fundamental cause of this vulnerability lies not in the hardware of the device itself but in the design of the backend platform that facilitates communication. The doorbell was found to be connected to a backend platform branded as “Naxclow,” operated by Guangzhou Qiangui IoT Technology Co., Ltd.
The company’s hardware is resold under multiple brand names, and its backend platform also powers several consumer applications—such as “X Smart Home,” “V720,” and “ix cam”—that are operated under different subdomains. These apps share frontend frameworks built using Vue.js and appear to use the same backend code under various hostnames, according to the researchers. This suggests the issue is not limited to one device but is systemic across the entire platform.
Responsible Disclosure and Manufacturer Response
Following the discovery, the researchers initiated contact through CERT/CC’s VINCE platform on May 6, 2026, to begin the process of assigning a CVE number. Communicating with Naxclow proved to be particularly challenging, as the company’s website lacked a contact page. Researchers had to resort to guessing email addresses and using in-app feedback forms to establish communication. The report was sent on April 29, 2026.
One day after the disclosure on May 7, 2026, Naxclow responded to the researchers, confirming the report and stating that an internal review process had been initiated. At the time of this writing, no details have been released regarding the application of patches or measures to protect users.
Renewed Awareness of IoT Security Risks in Low-Cost Devices
This case highlights the inherent security risks in low-cost IoT devices, particularly those distributed through rapidly growing e-commerce platforms. While hardware commoditization is accelerating, security often takes a backseat. The vulnerabilities in backend platforms can compromise not only user privacy but also the safety of entire networks. Consumers should be cautious and consider not only the price but also the manufacturer’s transparency and track record in providing security updates.
Frequently Asked Questions
- Why did such a severe vulnerability exist in such a low-cost doorbell?
- The primary reason appears to be a focus on achieving low cost and functionality at the expense of security design. Specifically, the backend platform’s authentication and permissions management were found to be lacking. This suggests that, in the effort to minimize hardware costs, the development and verification of software and services were neglected.
- What should users of this doorbell do now?
- At present, the manufacturer has not released an official patch or solution. The safest course of action is to disconnect the device from your network and stop using it. If you choose to continue using the device, it is strongly recommended to isolate it on a separate network, such as a guest network, to prevent it from interacting with critical devices like PCs and smartphones. Users should also monitor the manufacturer’s announcements for updates.
- Do other inexpensive IoT products pose similar risks?
- While this case is specific, similar risks could potentially exist in other inexpensive IoT products, especially those sold under unrecognized brands on e-commerce platforms. Products that share common chipsets, development platforms, or backend services may be vulnerable to similar issues. When purchasing such devices, it is crucial to verify the manufacturer’s security update policies and overall commitment to cybersecurity.
Comments