Cybersecurity experts have issued a warning about Chinese-made Internet of Things (IoT) devices in Australian homes, after an investigation found a model of smart doorbell had been compromised by hackers.

Prominent cybersecurity firm CyberCX issued the warning on Monday after it allegedly discovered a doorbell made by Chinese manufacturer Dahua which was installed in an Australian home had become part of a botnet — a network of infected devices under the control of a single attacker, or group of attackers.

The attackers were able to use the doorbell to effectively “gain a constant surveillance feed of the family’s front door and driveway, while locking the family out of the smart doorbell device”, CyberCX said.

The breach was allegedly detected when a person in the household connected a work computer to their home Wi-Fi network, which triggered an alert from their employer’s cybersecurity software.

The doorbell model in question, the Dahua VTK-VTO6210BW-VTH1560BW, could have allowed the attacker to access other Wi-Fi-enabled devices in the home such as TVs and computers, CyberCX alleged.

The company’s chief strategy officer Alastair MacGibbon, a former cybersecurity advisor to the federal government, said he was concerned Chinese-made devices “with negligible security measures” were “flooding the Australian market”.

“Cheap consumer electronics especially so, because security is not front of mind for manufacturers — these products are not safe when they come out of the box,” he said.

“And while these risks can apply to all connected devices in the home, they are particularly pronounced for Chinese-made tech which requires a constant, ongoing connection to Chinese manufacturers to operate, leaving them at the whim of Chinese government security agency direction and surveillance.”

While affordable devices from China were attractive to consumers, Australians were “effectively bringing foreign surveillance tools into their homes”, MacGibbon argued.

Australians can purchase Dahua devices through online retailers, and the company’s products are also offered by some security and surveillance device installers.

In a statement to Information Age, Dahua said it was committed to addressing claims of product vulnerabilities, but could not verify CyberCX's claims because the firm "has not provided any information regarding the incident despite our repeated attempts to engage with them".

CyberCX said it had sought to "respect the privacy of the individuals involved and the employer".

Dahua added that it "does not store, manage, or have access to end-user's data".

"We adhere to common standards for security practices in the industry and complies [sic] with all applicable laws, regulations, and business ethics of each market in which we operate," the company said.


CyberCX says the Dahua VTK-VTO6210BW-VTH1560BW doorbell was compromised by hackers in at least one Australian home. Image: Dahua

Potentially vulnerable devices not just from China

Paul Haskell-Dowland, a cybersecurity professor at Edith Cowan University and a member of the ACS Cyber Security Committee, said the availability of cheap devices with limited security and few software updates was a concern, no matter where the devices were made.

“Regardless of whether a Chinese manufacturer is involved, there are very large volumes of IoT tech that is forgotten about or abandoned by manufacturers,” he told Information Age.

“… All of that tech is potentially vulnerable through cybercriminals or state actors.”

Chinese technology companies have tended to face extra scrutiny due to the large volume of devices the country has produced, as well as legislation which compelled Chinese firms to comply with orders from the Chinese government, Haskell-Dowland said.

“The ability for the Chinese government to take control of devices is already here, and it’s already widespread,” he said.

Alastair MacGibbon from CyberCX said while all smart devices could have vulnerabilities, Australia “should be avoiding electronic devices from surveillance states like China”.

“The difference between smart devices manufactured in the United States, Korea, or Japan is that we know their intelligence agencies don't and won't compel user data for surveillance,” he said.


CyberCX's Alastair MacGibbon argues Australia should avoid 'electronic devices from surveillance states like China'. Photo: CyberCX / Supplied

Hundreds of surveillance cameras made by Dahua and fellow Chinese company Hikvision have been removed from Australian government offices in recent years, following similar moves by the US and UK.

Australian agencies have also grounded fleets of drones made by Chinese company DJI.

However, products made by all three companies can still be purchased by Australian consumers.

Because Chinese-made security cameras — including those made by Dahua — have been banned from Australian defence sites, CyberCX argued they were also "unsafe for Australian households".

'Some concern’ over popular TP-Link routers

MacGibbon has previously raised concerns about Chinese company TP-Link, whose popular internet routers are used by thousands of consumers in Australia.

Politicians in the US have recently considered banning TP-Link routers in that country over concerns they may have been used in cyberattacks, according to a December report by The Wall Street Journal.

The report would raise “some concern” in Canberra, Haskell-Dowland said, but would potentially create greater anxiety for Australian internet service providers (ISPs) and device retailers — many of which trust the brand, which has not been publicly linked with any cyberattacks in Australia.

Cyber intelligence agency the Australian Signals Directorate (ASD) said the exploitation of routers in home offices posed “a significant risk to individuals and small businesses” in its latest Annual Cyber Threat Report.

Of the 8.3 million routers used in Australian home offices, it was “very likely” that a considerable number of them were “exposed and vulnerable to malicious cyber actors”, the agency said.

Compromised routers could be used to steal data from networks, but could also be used in botnet attacks without the device owner’s knowledge, ASD said.


TP-Link devices are popular in many countries, with many Australian telecommunications providers supplying them to customers. Image: TP-Link

Can new laws secure IoT devices?

Australia’s first Cyber Security Act, which became law in November 2024, introduced a provision allowing the federal government to implement mandatory security standards for IoT devices.

The laws also give the government the power to test products and make manufacturers comply with rules or face having to recall products such as smart TVs, smart watches, home assistants, and baby monitors.

While CyberCX’s Alastair MacGibbon said it was “encouraging” to see the government introducing requirements for smart devices, he argued it was difficult to protect Australians from an “influx of cheap connected devices available on Chinese e-commerce platforms like Temu and Shein”.

Paul Haskell-Dowland agreed, and added it would still be “very difficult” to effectively eradicate the issue given the “massive, long tail of old devices” already in Australian households, which were unlikely to be replaced for years and would stop receiving software updates.

“It’s just going to be impossible to get full coverage, but you’ve got to do something,” he said.

Consumers could better protect themselves from possible vulnerabilities by using unique passwords for each device or account, buying products which allow two-factor authentication, purchasing from reputable Australian retailers, and keeping product software up to date, he added.