Anyone on the Internet Can Ring Your Doorbell
A security researcher discovered critical vulnerabilities in a cheap smart doorbell purchased from Temu, revealing that the device and its backend platform are highly insecure. The flaws allow attackers to hijack doorbell feeds, spoof doorbell rings with fake video, and extract home Wi-Fi passwords. These issues stem from systemic weaknesses in the Naxclow platform, which powers multiple rebranded devices and apps.
- ▪The Smart Doorbell X3, sold on Temu, connects to a backend platform operated by Guangzhou Qiangui IoT Technology Co., Ltd under the brand Naxclow.
- ▪Researchers found vulnerabilities enabling account hijacking, live video impersonation, and extraction of home Wi-Fi passwords via a physical debug port.
- ▪The same backend infrastructure supports multiple consumer apps like 'X Smart Home' and 'V720', indicating widespread exposure across rebranded devices.
- ▪No response was received from Naxclow after disclosure, prompting publication of the findings one week later with sensitive details omitted.
- ▪The hardware is manufactured by Shenzhen Ruilang Technology Co., Ltd, which produces a range of similar IoT cameras using the same platform.
Opening excerpt (first ~120 words) tap to expand
Anyone on the Internet Can Ring Your Doorbell06/05/2026 10:3539 min read (8229 words)#Security #IoT #Reverse Engineering #Hardware Hacking #Firmware Updates#2026-05-06. I opened a coordination case with CERT/CC’s VINCE covering the findings below. CVE assignment will go through that process.2026-05-07. Naxclow contacted me one day after this post went live, acknowledged the report, and started their internal review process.Naxclow’s reply, the day after publication.Recently I bought a smart doorbell off Temu, the Chinese marketplace that has been gaining popularity worldwide over the past couple of years. I wanted to know how secure the cheap connected hardware sold on that platform actually is.
…
Excerpt limited to ~120 words for fair-use compliance. The full article is at ABGEO's Personal website.
Discussion
0 commentsMore from ABGEO's Personal website
