A $12 Temu “Smart Doorbell X3” exposes sequential device IDs and a hardcoded firmware salt, letting anyone hijack calls or steal the device account with a free signup.
Key Takeaways
Device IDs are sequential and alert requests are forgeable using a hardcoded signing salt baked into every Naxclow firmware build.
The alert response returns static P2P credentials (host, password) in plaintext; they survive factory reset and account rebinding.
An attacker can silently steal the doorbell off its owner’s account, redirect all calls to their phone, or inject arbitrary video into fake call notifications.
UART at 115200 8N1 on exposed pads dumps firmware version, register state, and WiFi credentials with no authentication required.
The same Naxclow backend and shared Vue/SPA codebase serves rebadged sibling apps (V720, ix cam), meaning the attack surface spans an entire device fleet.
