Researcher found that Naxclow-backend doorbells sold on Temu use sequential device IDs, a hardcoded firmware signing salt, and plaintext P2P credentials, enabling full account hijack remotely.
Key Takeaways
The $12 “Smart Doorbell X3” pairs with the “X Smart Home” app and talks to Guangzhou Qiangui IoT / Naxclow backend; same backend likely serves V720 and ix cam devices.
Device IDs are sequential; the request signing token uses a hardcoded salt baked into every firmware, so forging alert requests requires no per-device physical access.
The alert response returns static P2P credentials (host, password) that survive factory reset and rebinding; credentials never rotate.
P2P call setup broadcasts both device token and account token in a single plaintext packet; unencrypted JPEG frames and audio follow on the same channel.
UART at 115200 8N1 dumps firmware version, register state, and WiFi credentials at boot; the debug port is accessible with a screwdriver and basic probing gear.
Hacker News Comment Review
Commenters debated whether “anyone” is accurate: the signing salt is shared across all firmware, so physical access to one unit bootstraps remote attacks against every device on the platform, not just the tested unit.
Consensus leaned toward the title being defensible: the hardcoded salt means the key is not device-specific, so extracting it once is sufficient for platform-wide forgery.
Several commenters noted none of the attack surface is exotic – sequential IDs, hardcoded salts, cleartext P2P – framing this as a predictable outcome of cheap IoT platform shortcuts rather than a novel finding.
Notable Comments
@interludead: “The most depressing part is that none of this sounds exotic”
@consp: Compared the security model to an open doorway with a curtain and the key hanging beside it – effectively no security boundary exists.
