Cheap home security cameras, webcams and baby monitors, promoted by Amazon, are riddled with security flaws
A number of wireless cameras and baby monitors tested by consumer group Which?, have found to contain multiple security flaws.
Indeed, the flaws with the home surveillance and baby monitoring cameras are so severe, it could allow hackers to spy on homeowners and parents.
And to make matters worse, Which? warned these vulnerable security webcams are being promoted by Amazon as bestselling devices and Amazon Choice products.
Which? warned about the webcams after its researchers tested six wireless cameras that had received the Amazon’s Choice label – a move that ranks the devices at the top of the company’s search results.
The flawed cameras also had hundreds of positive reviews.
“Also marketed as baby and pet monitors, many of these cameras are mass-produced in Shenzhen, China, and appear to undergo little or no quality control before being sold in the UK,” warned Which?
“These cameras are appealing targets for hackers and snoopers on a potentially huge scale,” it said. “One analyst we worked with suggested that around 50,000 security cameras in the UK, or 2m worldwide, contain critical flaws that make it easy for anyone to gain access.”
“On showing our findings to Amazon and requesting that the affected cameras were removed, it declined to comment,” Which? reported.
The brand of vulnerable devices came from brands such as Vstarcam, ieGeek, Sricam and SV3C.
“Our lab partner, Context Information Security, tested the cameras and found critical issues with all of them,” said the consumer group. “Risks range from your private data being exposed, to a hacker being able to gain complete control of the camera and potentially seeing into your home.”
The cameras it seems are blighted with weak passwords, unencrypted data, and some even allowed for root access, allowing a hacker to take over the camera and see inside homes.
Which? said the cameras are cheap (some cost as little as £30), and have hundreds or even thousands of positive reviews.
The group also said that of the top 50 bestselling surveillance cameras on Amazon.co.uk at the time of the investigation, 32 are from companies that have no web presence at all outside of online marketplaces, or very basic websites with limited contact details.
And with some of the cameras, it was impossible to work out who made them.
One security expert called for government intervention on IoT devices, and said that a BSI kitemark for example would help consumers know which devices had security designed into the product.
“Whether it’s virtual assistants or home security equipment, new devices are increasingly being adopted in all areas of our lives,” said David Emm, principal security researcher at Kaspersky.
“Today’s report by Which? serves as a reminder to owners of webcams, baby monitors and home surveillance cameras of the dangers people face in, even in their own homes,” said Emm. “After all, given the amount of sensitive information exchanged in what is seen as a ‘safe’ space, hackers are therefore able to access a huge volume of personal information that can be used to devastating effects. By successfully hacking home devices, criminals are able to spy on people, blackmail them, and even discreetly make them their partners in crime.”
“In order to combat this, further Government intervention is becoming increasingly necessary,” said Emm. “If the Government provides manufacturers who comply with IOT device standards to display a clearly-visible mark (like the British Standards Institute kitemark), it would provide an easy way for consumers to tell if something is safe, and to avoid the manufacturers not complying with these standards.
“Security should be implemented by design – and as these devices are manufactured for global consumption, appropriate Government’s guidelines will help make these devices safer,” he concluded.
Another expert echoed the call for more security for IoT devices.
“The revelation that more than 50,000 internet-connected cameras sold by Amazon and other retailers could have critical security flaws will send a shiver down the spine of consumers, but this is only the tip of the iceberg,” warned Wai Man Yau, VP and general manager international at software security specialists Sonatype.
“Every day thousands of vulnerable software components are built into a wide range of devices, and this isn’t limited to unknown brands lurking on Amazon; last year alone the average UK enterprise downloaded 21,000 components with a known security flaw, while faulty components are being used by some 57 percent of the Global Fortune 100,” said Man Yau. “Which? rightly advises people to buy from known brands with a reputable website and customer support service. However, this will only protect them from some security risks, and overlooks the enormous threat posed by vulnerable software.”
“To truly protect consumers, security needs to be designed into connected devices from the very beginning,” Man Yau said. “The tools are available to enable manufacturers to build security into their applications right from the start, meaning failure to do so should amount to gross negligence. No other manufacturing industry is permitted to ship known vulnerable or defective parts in their products, so why should the software components in connected devices be any different?”
And he finished off by warning Amazon about its responsibilities.
“Retailers too must be more stringent about the products they stock, and take responsibility for protecting their user base,” said Man Yau. “Manufacturers, retailers, governments and consumers all need to be educated about the risks, and work together to secure our increasingly connected world.”
Do you know all about security? Try our quiz!