People may believe they are picking up a bargain wireless camera that can bring a sense of security – when in fact they could be unwittingly inviting hackers into their home or workplace, according to the consumer advice group Which?.
Wireless cameras active in UK homes are vulnerable to hackers due to security flaws with the devices themselves, and a popular app many of them use, Which? says. The flaws affect dozens of camera brands made by the China-based company HiChip and sold cheaply on online marketplaces like Amazon, eBay, Wish and AliExpress. It allows hackers to find the location of the user’s home and target other devices linked to their home broadband network.
If these vulnerabilities were exploited, the hacker could even access live footage and speak via the camera’s microphone, including uses as baby monitors connected via the internet. These attacks can still be exploited even if users change their password. Which? is advising anyone who believes their camera could be affected to stop using it.
Kate Bevan, Which? Computing Editor, said: “Anyone who has one of these cameras in their home should turn it off and stop using it immediately, while all consumers should be careful when shopping around – cheap isn’t always cheerful, especially when it comes to unknown brands.
“The government must push forward with its plans for legislation to require connected devices to meet certain security standards and ensure this is backed by strong enforcement.”
The issue, Which? point out; weak Unique Identification numbers (UIDs), often found on a sticker on the side of the cameras, which hackers can discover and then target users of the CamHi app – as used by millions of people to view camera footage – when they connect to their camera. The attacker can then steal the device’s username and password, and use the stolen credentials for camera access.
Background
Which? worked with US-based security man Paul Marrapese to test and verify security faults in these cameras: Accfly, ieGeek Security Outdoor Camera 1080P, WiFi IP Security Camera indoor – GENBOLT 1080P, Elite Security, SV3C. More on Paul Marrapese’s work at https://hacked.camera/.
Comments
Boris Cipot, senior security engineer at Synopsys, said: “We use IoT devices and its technology as if it is already matured. Yet, we, as users and consumers of this useful and exciting technology, need to realise that it is still evolving. It has not yet reached the maturity level needed to serve the masses with stability and most importantly, security.”
Jake Moore, of cyber security firm ESET, said: “The massive growth in IoT devices placed in the home and office is the perfect opportunity for cyber criminals to make money from particular types of malware. IoT devices are far too often packaged up with weak (if any) built-in security features, so the public are on the back foot from the outset. Security updates also tend to be infrequent which puts further risks on the owner. Updates and 2FA are critical but you may need to ask yourself if you really need your security camera online 24/7. If the cameras still record on the premise, they may not need to be online at all, preventing the risk of an attack altogether.”
And Kiri Addison, Head of Data Science for Threat Intelligence and Overwatch at Mimecast, said: “IoT devices can provide attackers with an easy route into your home network. With many of us working from home now, this poses an increased risk to businesses, due to the opportunity for an attacker to more easily move from an employee’s personal network to their employer’s. Apart from gaining access to the network, internet enabled security cameras can be exploited in a number of other ways, including shoulder surfing to gain information such as credentials, monitoring victims and collating information that can be used to create convincing phishing attacks and cameras with microphones can be used to spy on meetings and gain sensitive information. These increased threats require businesses to provide their workforce with awareness training on a regular basis, to ensure best practise is followed and staff are vigilant.”
