Cheap smart doorbell allows fleet-wide account takeover and call hijacking
A security researcher, writing on Lobsters on May 16, 2026, disclosed severe vulnerabilities in a widely available, low-cost smart doorbell system. The identified flaws permitted an attacker to achieve fleet-wide account takeover, granting unauthorized access to any user's doorbell account. This compromise extended to the ability to hijack live video and audio calls initiated through the device, effectively allowing an attacker to eavesdrop on conversations and view real-time footage from any affected doorbell. The researcher demonstrated how these vulnerabilities could be exploited without complex methods, leveraging weaknesses in the device's authentication and communication protocols. The report emphasized that these issues were not isolated to a single device but affected the entire product line, indicating a systemic security failure in the manufacturer's design and implementation. The cheap nature of the device suggests a potential lack of investment in robust security measures, a common concern with budget IoT hardware. This situation poses significant privacy and security risks for consumers who rely on these devices for home monitoring, as personal data and live feeds could be accessed by malicious actors. The disclosure serves as a critical reminder for both consumers and developers about the importance of thorough security audits and responsible manufacturing practices in the rapidly expanding IoT market.
Developers building IoT solutions must prioritize robust security from design to deployment to prevent widespread vulnerabilities and protect user privacy.