Anyone on the Internet Can Ring Your Doorbell :: ABGEO's Personal websiteMenu ▾<br>Home<br>About<br>Projects<br>Blog<br>Book<br>Contact<br>Tags

Anyone on the Internet Can Ring Your Doorbell<br>06/05/2026 10:3539 min read<br>(8229 words)<br>#Security<br>#IoT<br>#Reverse Engineering<br>#Hardware Hacking<br>#Firmware<br>Updates#<br>2026-05-06. I opened a coordination case with CERT/CC&rsquo;s VINCE covering the findings below. CVE assignment will go through that process.<br>2026-05-07. Naxclow contacted me one day after this post went live, acknowledged the report, and started their internal review process.<br>Naxclow&rsquo;s reply, the day after publication.<br>Recently I bought a smart doorbell off Temu, the Chinese marketplace that has been gaining popularity worldwide over the past couple of years. I wanted to know how secure the cheap connected hardware sold on that platform actually is. The unit ships under the name &ldquo;Smart Doorbell X3&rdquo; and pairs through a mobile app called &ldquo;X Smart Home&rdquo;. Camera, microphone, two-way audio, sub-GHz indoor receiver. The kind of gear that has quietly shown up on a lot of front doors.<br>By the end of a few weekends with one I could:<br>silently steal any of these doorbells off its owner&rsquo;s account<br>impersonate the device on a live call, with attacker-chosen video on the owner&rsquo;s phone<br>lift the home WiFi password through a debug port behind a screwdriver<br>$12 on the front. Whole-network compromise on the back. The first of those takes a free account on the platform, and redirects every real call from the door to my phone instead of the owner&rsquo;s. The second takes nothing at all, and invents new calls into the owner&rsquo;s phone with whatever video I want. The real doorbell stays online either way and never knows. You are basically paying $12 to let anyone on the internet ring your doorbell.<br>The findings sit at the platform layer of the backend, not in any one box on a Temu listing. The doorbell talks to a backend operated under the brand Naxclow, by a Guangzhou-based company called Guangzhou Qiangui IoT Technology Co., Ltd. The same hardware ships rebadged under several reseller brands, and the same provider runs a small family of consumer apps under Naxclow, each on its own subdomain. V720 is one (publicly reverse-engineered already, see intx82/a9-v720). A sibling app called &ldquo;ix cam&rdquo; is the other I noticed. I did not separately test either of them. Their web frontends share the same Vue scaffolding as X Smart Home, and that public work already covers the wire-protocol overlap between V720 and the doorbell. The shared SPA codebase plus the protocol overlap suggest the same backend code is running under each branded hostname. This is a story about a platform, not a box.<br>This blog is part of a sanitized responsible disclosure. Finding contact info for Naxclow was not easy. They have no contact page on their website. I eventually found an email address on one of their pages, and brute-forced common alias names on the same domain to widen the net. Most of those bounced. On April 29, 2026 I sent the report through the addresses that delivered, and through the X Smart Home in-app feedback form. As of writing I have not received a reply. I am publishing one week after the notification, with sensitive specifics stripped out.<br>The list of issues is long, so grab your favorite snack or drink and settle in.<br>Scope and Ethics#<br>I tested everything below on devices I own, with two of my own X Smart Home accounts. The traffic touched Naxclow&rsquo;s production backend, but only under my own credentials. I never touched anyone else&rsquo;s account, device, or traffic.<br>Real endpoint paths, exact parameter names, the literal hardcoded salt, the full signing implementation, and any working PoC code stay out of this post. The point is the methodology and the failure modes, not a recipe.<br>The Device#<br>Three pieces:<br>the doorbell: camera, push button, mic, speaker, WiFi, sub-GHz transmitter<br>a small indoor receiver that listens on sub-GHz and rings a tone when the button is pressed<br>a mobile companion app for live view, two-way audio, and event history<br>The doorbell and its sub-GHz indoor receiver, before I opened anything up.<br>Back of the unit.<br>The label is more interesting than the box. The hardware OEM is Shenzhen Ruilang Technology Co., Ltd, not Naxclow and not whatever brand the seller printed on the listing. FCC ID 2A5LK-X3PRO, approved in March 2024 for 2.4 GHz WiFi plus 433.91 MHz sub-GHz. Ruilang&rsquo;s grantee code 2A5LK has at least seven WiFi-camera filings under it. One of them is the A9 model that intx82 reverse-engineered as the V720 mini camera. Same factory, fleet of WiFi cameras under different model codes, all pointed at Naxclow&rsquo;s backend out of the box. The EU and UK importer-of-record on the label is Whaleco, Temu&rsquo;s corporate arms in those jurisdictions.<br>Open it up and the chip count is low. One MCU does almost everything: a Beken BK7252N, a cheap WiFi-plus-audio combo. JTAG and UART...