Anyone on the Internet Can Ring Your Doorbell
Summary
A detailed security analysis of a low-cost smart doorbell (Smart Doorbell X3) linked to the Naxclow backend. The post documents insecure plain HTTP control plane, plaintext credentials exposed via UART, unencrypted P2P signaling, forgeable signatures, and device ID enumeration enabling takeover and impersonation. It outlines a phased disclosure, hardware details, OTA absence, and practical takeaways for homeowners and manufacturers to improve IoT security in SBC/SMB contexts.