Skip to content
Tech News
← Back to articles

Anyone on the Internet Can Ring Your Doorbell

2026-05-17 | original
read original get Ring Video Doorbell → more articles
Why This Matters

This discovery highlights significant security vulnerabilities in inexpensive smart doorbells sold online, exposing consumers to remote hacking, privacy breaches, and network compromises. It underscores the urgent need for better security standards and oversight in the rapidly growing IoT market, especially for affordable devices that often lack robust protections.

Key Takeaways

2026-05-06. I opened a coordination case with CERT/CC’s VINCE covering the findings below. CVE assignment will go through that process.

2026-05-07. Naxclow contacted me one day after this post went live, acknowledged the report, and started their internal review process.

Naxclow’s reply, the day after publication.

Recently I bought a smart doorbell off Temu, the Chinese marketplace that has been gaining popularity worldwide over the past couple of years. I wanted to know how secure the cheap connected hardware sold on that platform actually is. The unit ships under the name “Smart Doorbell X3” and pairs through a mobile app called “X Smart Home”. Camera, microphone, two-way audio, sub-GHz indoor receiver. The kind of gear that has quietly shown up on a lot of front doors.

By the end of a few weekends with one I could:

silently steal any of these doorbells off its owner’s account

impersonate the device on a live call, with attacker-chosen video on the owner’s phone

lift the home WiFi password through a debug port behind a screwdriver

$12 on the front. Whole-network compromise on the back. The first of those takes a free account on the platform, and redirects every real call from the door to my phone instead of the owner’s. The second takes nothing at all, and invents new calls into the owner’s phone with whatever video I want. The real doorbell stays online either way and never knows. You are basically paying $12 to let anyone on the internet ring your doorbell.

The findings sit at the platform layer of the backend, not in any one box on a Temu listing. The doorbell talks to a backend operated under the brand Naxclow, by a Guangzhou-based company called Guangzhou Qiangui IoT Technology Co., Ltd. The same hardware ships rebadged under several reseller brands, and the same provider runs a small family of consumer apps under Naxclow, each on its own subdomain. V720 is one (publicly reverse-engineered already, see intx82/a9-v720). A sibling app called “ix cam” is the other I noticed. I did not separately test either of them. Their web frontends share the same Vue scaffolding as X Smart Home, and that public work already covers the wire-protocol overlap between V720 and the doorbell. The shared SPA codebase plus the protocol overlap suggest the same backend code is running under each branded hostname. This is a story about a platform, not a box.

... continue reading

Explore topics: naxclow smart doorbell x smart home temu cve
Related:
New Windows 'MiniPlasma' Zero-Day Exploit Gives SYSTEM Access, PoC Released
Microsoft Exchange Zero-Day Under Attack, No Patch Available
Exploit available for new DirtyDecrypt Linux root escalation flaw
Microsoft Exchange Server Vulnerability Actively Exploited, in a Bad Week for Microsoft
Microsoft rejects critical Azure vulnerability report, no CVE issued

© 2026 GoKawiil

About | Editorial Policy | Contact