← Security Cameras
D

Aqara Video Doorbell G4

Chinese facial recognition doorbell that builds a mugshot database of everyone who visits your home.
Serious concerns
Lumi United · 🇨🇳 China · WiFi + Bluetooth
PolicyApp PermissionsNetwork TrafficFirmwareRegulatory
Technical details
App: com.lumiunited.aqarahome
Manufacturer: Lumi United Technology (Aqara)
Model: Video Doorbell G4

⚠️ The bottom line

Your doorbell recognises faces locally, which is great, except the app that manages whose face is whose runs on Chinese cloud servers. Like saying your diary is private because you write it at home — while your secretary in Shenzhen keeps the index. Aqara built a secret remote control into your hub that runs any command as root with no logs. When researchers found it, instead of removing it, they put a screen door on the backdoor. The hub your doorbell depends on has a skeleton key built in.

Legal jurisdiction
🇨🇳 China (headquarters)
National Intelligence Law read more →
Company must secretly hand data to Chinese intelligence on request
Data Security Law read more →
State can classify any data as 'important' and demand access for national security
Spying
3/4 HIGH
Is someone spying on me?
Data Sharing
3/4 HIGH
Who gets my data?
Security
4/4 EXTREME
Is it actually secure?
Honesty
3/4 HIGH
Can I trust what they say?
REPLACE Extreme risk. Look for alternatives or lock down hard.
10Contradictions
2Critical
5High
3Medium
6Sources
Findings by concern
Spying 3/4 HIGH 2 findings
⚠️ criticalpolicy claims vs app permissions
Your doorbell recognises faces locally, which is great, except the app that manages whose face is whose runs on Chinese cloud servers. Like saying your diary is private because you write it at home — while your secretary in Shenzhen keeps the index.

What they claim: "AI-based facial recognition is executed locally on device for faster response and privacy protection."

What we found: Face database (30 faces) tagged/named through Aqara Home app requiring Lumi United cloud account on Chinese servers. "Local" processing real, but metadata about whose face is whose flows through app to Lumi's cloud.

⚡ highapp permissions vs policy claims
Your doorbell is building a mugshot database of everyone who walks up to your house. The postman didn't consent to facial recognition. Neither did your neighbour. But hey, at least you can set a different message for each one.

What they claim: "Facial recognition reduces false alerts and ensures you're always informed about who's at your door."

What we found: Doorbell stores 30 faces, triggers different automations per person, labels unknowns for review. Biometric surveillance registry of everyone approaching your home — delivery drivers, neighbours, friends. None consented to facial recognition.

Data Sharing 3/4 HIGH 3 findings
⚡ highpolicy claims vs firmware analysis
Aqara says automations work locally. Users say: block the internet and watch everything die. The hub literally throws a tantrum — strobe-flashing blue — until you let it phone home to China again.

What they claim: Aqara markets "local automation" that "works even when internet connection is down."

What we found: Community testing: blocking hub's internet causes all 128 connected Zigbee devices to stop responding. Hub strobe-flashes blue until internet restored. "Local" automations may survive briefly but hub is cloud-dependent.

⚫ mediumapp permissions vs policy claims
The app for your doorbell wants 54 permissions and scans your installed apps, Wi-Fi name, MAC address, and device sensors. For a doorbell. That rings when someone pushes a button.

What they claim: Aqara Home is a smart home management app.

What we found: App requests 54 permissions including fine location, camera, Bluetooth, extensive network access. SDKs collect device ID, Android ID, MAC, SSID, BSSID, installed app list, sensor data. AndroidX Webkit SDK collects this "multiple times."

⚫ mediumpolicy claims vs regulatory findings
Your doorbell data could end up on servers in China, Russia, Singapore, South Korea, the US, or Germany. Aqara promises they won't send it "directly" to China "without desensitization." That word "directly" is doing more heavy lifting than any load-bearing wall.

What they claim: Aqara protects data with regional storage and "data desensitization."

What we found: Data centres in China, US, Singapore, Korea, Russia, Germany. Privacy policy permits transfers to any. "Desensitization" only applies to data "directly transmitted back to mainland China" — leaving indirect transmission and metadata unaddressed.

Security 4/4 EXTREME 5 findings
⚠️ criticalfirmware analysis vs policy claims
Aqara built a secret remote control into your hub that runs any command as root with no logs. When researchers found it, instead of removing it, they put a screen door on the backdoor. The hub your doorbell depends on has a skeleton key built in.

What they claim: Aqara markets HomeKit Secure Video compatibility and encrypted storage.

What we found: CVE-2025-65294 (CVSS 9.8): Hub firmware contains undocumented CoAP endpoint /lumi/gw/rpc allowing remote execution of arbitrary shell commands with root privileges. No audit trail. "Fix" was adding easily-bypassed filters rather than removing the capability.

⚡ highpolicy claims vs regulatory findings
The company that makes your doorbell is legally required to help Chinese intelligence if asked. And we already know they built in a secret remote shell. "Privacy protection" starts to sound like a punchline.

What they claim: "Executed locally on device for faster response and privacy protection."

What we found: Lumi United headquartered in Shenzhen. China National Intelligence Law Art 7: all organisations "shall support, assist, and cooperate with national intelligence efforts." US DHS warns China can "direct firms to covertly install backdoors" — which is exactly what CVE-2025-65294 documents.

⚡ highfirmware analysis vs policy claims
Aqara says your data is encrypted. Their hub doesn't check if it's talking to the real server or an impersonator. Like locking your front door but leaving the key taped to the doorframe.

What they claim: "Keeps your data safe by encrypting it."

What we found: CVE-2025-65291: Hub fails to validate server certificates in TLS connections for discovery and CoAP communications. Enables man-in-the-middle attacks on device control and monitoring.

⚡ highfirmware analysis vs policy claims
The device controlling your entire smart home accepts firmware updates without checking if they're legit. Combined with the TLS bug, an attacker can push malicious firmware like sliding a note under the door. "Security updates" that can't verify their own authenticity.

What they claim: Aqara: "We provide continuous security updates for IoT products."

What we found: CVE-2025-65295: Hub fails to validate firmware signatures during updates, uses outdated crypto. Combined with CVE-2025-65291 TLS failure, attacker can push malicious firmware to hub controlling doorbell, cameras, and 128 Zigbee devices.

⚫ mediumfirmware analysis vs policy claims
HomeKit Secure Video is genuinely good. Your video is encrypted end-to-end. But the hub your doorbell connects through has a root shell backdoor on your home network. Like having a titanium safe in a house with no walls.

What they claim: HomeKit Secure Video provides end-to-end encryption via iCloud.

What we found: HKSV encrypts video stream to iCloud, but Aqara Hub with CVE-2025-65294 root shell sits on same network. Hub can reach other network devices. HomeKit protects video; does nothing about compromised hub seeing your entire network.

Sources