Researchers Marc Rogers and Silas Cutler expose a shadow supply chain for ultra-cheap Chinese smart home devices—video doorbells and cameras sold under rotating brands like Eken and Tuck—showing identical Allwinner-based hardware, hardcoded root credentials, superficial firmware “fixes,” and telemetry routed through servers in Hong Kong and China. Their investigation reveals shell companies and obfuscation tactics that shield manufacturers from enforcement and enable remote configuration pushes that can control large vulnerable IoT surfaces. #Allwinner #Eken
Keypoints
- Cheap video doorbells and security cameras sold under rotating brands (e.g., Eken, Tuck) share identical hardware platforms built on Allwinner semiconductors.
- Firmware analysis found hardcoded root passwords and “fixes” that merely commented out vulnerable services in startup scripts rather than removing them.
- Devices claim to use local cloud services but metadata and video frequently transit servers located in Hong Kong and mainland China.
- A network of shell companies, fictional personas, non-responsive registered agents, and PO boxes is used to hide true manufacturers and frustrate legal enforcement.
- Rapid hardware iteration with no long-term support mirrors distribution patterns seen in malware campaigns, expanding a large, vulnerable IoT attack surface.
- Remote configuration pushes from overseas can centrally control many devices, exposing consumers who buy based on low price and subscription features.
- The presentation stops short of alleging intentional malice but emphasizes systemic risk from the opaque supply chain and weak device security.
MITRE Techniques
- [T1195 ] Supply Chain Compromise – Shadow supply chain and rotating brands/shell companies obscure origin and evade oversight, enabling insecure devices to reach consumers (‘shadow supply chain of ultra-cheap Chinese smart home devices’).
- [T1552 ] Unsecured Credentials – Hardcoded root passwords embedded in firmware provide persistent credentials on devices (‘Firmware analysis uncovered hardcoded root passwords’).
- [T1547 ] Boot or Logon Autostart Execution – Vulnerable services were left present but disabled via commented startup script entries rather than removed, allowing potential reactivation (‘commenting out vulnerable services from startup scripts rather than removing them’).
- [T1071 ] Application Layer Protocol – Device metadata and video traffic are routed through remote cloud servers in Hong Kong and China, using application-layer protocols for telemetry/C2-like data flows (‘metadata and video content are frequently routed through servers in Hong Kong and China’).
- [T1021 ] Remote Services – Devices can be controlled via simple configuration pushes from overseas, enabling centralized configuration and potential abuse (‘can be controlled through simple configuration pushes from overseas’).
Indicators of Compromise
- [Brand/Model ] device identifiers and seller names – Eken, Tuck (used across marketplaces and tied to identical hardware platforms).
- [Hardware Vendor ] chipset/platform – Allwinner semiconductors (shared hardware powering multiple devices).
- [Credential ] embedded credentials in firmware – hardcoded root passwords (values not disclosed in report).
- [Network Infrastructure ] server locations and cloud endpoints – servers in Hong Kong, servers in China (used to route metadata and video content).
- [Firmware Artifact ] firmware images and startup scripts – firmware with commented-out vulnerable services, and firmware images analyzed for hardcoded credentials (and other firmware versions across rapid hardware iterations).
Read more: https://www.sentinelone.com/labs/labscon25-replay-are-your-chinese-cameras-spying-for-you-or-on-you/