Chinese Smart Home Cameras Expose Users to Data Harvesting via Hard‑Coded Credentials and Hong Kong Cloud Relays
What Happened – Researchers from SentinelOne Labs dissected ultra‑cheap Chinese video doorbells and security cameras (brands such as Eken and Tuck). Firmware analysis revealed hard‑coded root passwords and “security fixes” that merely disabled services, while video streams and metadata are routinely sent to servers in Hong Kong and mainland China.
Why It Matters for TPRM –
- The devices form a shadow supply‑chain with opaque ownership, making vendor due‑diligence and legal recourse extremely difficult.
- Hard‑coded credentials enable credential‑theft attacks that can be leveraged to pivot into corporate networks that rely on these cameras for physical security.
- Data exfiltration to foreign jurisdictions raises compliance and privacy concerns for any organization that deploys the hardware.
Who Is Affected – Retail & hospitality locations, healthcare facilities, corporate campuses, and any organization that purchases low‑cost smart cameras for surveillance or access control.
Recommended Actions – Conduct an inventory of all third‑party IoT cameras, prioritize removal or segmentation of devices lacking vendor support, enforce network segmentation, and require vendors to provide transparent supply‑chain documentation and secure firmware update mechanisms.
Technical Notes – The cameras share a common Allwinner‑based hardware platform subsidized by the Chinese government. Firmware contains hard‑coded root passwords; “patches” only comment out vulnerable services. Traffic is routed through non‑public cloud endpoints in Hong Kong, bypassing local data‑residency controls. No CVE identifiers were disclosed, but the issue represents a classic vulnerability‑exploit vector combined with a supply‑chain obfuscation technique. Source: SentinelOne Labs – LABScon25 Replay