Home Surveillance Cameras Pose Privacy Risks, Data Leakage by Hacking

Home Surveillance Cameras Pose Privacy Risks, Data Leakage by Hacking
The Consumer Council tested the cyber security of 10 home surveillance cameras on the market and found that only one sample met the European Cyber Security Requirements. (Courtesy of the Consumer Council)
3/19/2023
Updated:
3/19/2023
0:00

The Hong Kong Consumer Council tested the cyber security of ten home surveillance cameras on the market and found that only one model complied with the European cyber security standard. At the same time, the other nine posed various cyber security concerns, including the transmission of videos and data without encryption and failure to defend against “brute-force attacks” by hackers to crack passwords.

In addition, the security of user data storage could have been improved in many apps, with half of the tested models able to access the user files stored in intelligent devices through Android apps. Some apps even requested excessive permission.

(The Epoch Times)
(The Epoch Times)

The Council urges manufacturers to improve the cyber security of products, such as introducing anti-brute-force attack designs and data encryption of video and data.

Consumers should also set strong passwords for their surveillance cameras and change them regularly and make good use of firewalls and network monitoring functions.

The ten models of home surveillance cameras tested were priced between $269 and $1,888, all providing two-way audio, motion detection, night vision, Amazon Alexa, and Google Assistant voice control. The models tested were from Arlo, Xiaomi, Imou, TP-Link, BotsLab, Eufy, EZVIZ, SpotCam, D-Link, and Reolink.

In addition, the Council commissioned an independent laboratory to test the cyber security and hardware design of these ten models with reference to the European Standards ETSI EN 303 645 and the industry-standard OWASP MASVS.

Among the ten surveillance cameras, Arlo has the highest total score of four out of five, with five marks for protection against attack, security of data transmission and apps, and hardware design, but three marks for the security of data storage and the highest price of $1,888 in the sample.

The other nine models have a micro-SD memory card slot, which can be inserted to save videos.

5 Models Do Not Have Encrypted Data Transmission

The Council said that live video streaming to mobile devices through the app allows users to keep track of the real-time status.

Four models tested did not use Secure Real-Time Transport Protocol (SRTP) in live streaming, which could provide data encryption and message authentication. Instead, they used the less secure and unencrypted Real-Time Transport Protocol (RTP).

The four models are Imou (Model: IPC-F88FIP-V2), TP-Link (Model: Tapo C210), EZVIZ (Model: CS-C6), and D-Link (Model: DCS-8350LH).

In addition, the Reolink (model: Argus 3 Pro) uses Hypertext Transfer Protocol (HTTP) to transmit data when connecting to the user’s Wi-Fi network without encrypting sensitive data so that hackers can find the router’s account information from ordinary text files.

The Consumer Council recommends manufacturers switch to the more secure Hypertext Transfer Security Protocol (HTTPS) to provide excellent user protection.

4 Failed to Defend Against Brute-force Attacks

The test found that three samples could be cracked using automated tools and programs that repeatedly (Brute Force attacks) tested all possible password combinations during live motion picture streaming.

The default passwords of EZVIZ and D-Link are only six digits or letters, which are very low in strength and are easily cracked. The Eufy (model: T8441X) could also be cracked.

The Council mentioned that the sample of SpotCam (model: Solo 2) has no limit on how many times a hacker can log in with a mobile phone application to obtain account information.

The Council recommends that the manufacturers of these four products incorporate anti-brute-force designs, such as multi-factor authentication and limiting the number of password attempts.

Temporary Passwords are Valid When Logging Back Into the Account on 3 Models

Each time the user logged in to connect to the camera, a conversation key equivalent to a temporary password would be used. The conversation key should expire after disconnection, and the user would use a new conversation key when logging in again.

However, the test results showed that when the samples of BootsLab (model: P4 Pro), SpotCam, and Reolink were logged in to connect to the camera again, the conversation key used for the previous connection was still valid. If the hacker steals the old conversation key, he can connect to the camera and see the image.

After logging out of an account or logging in to another account in the same mobile phone application, live images of the surveillance camera can still be seen on Reolink when connecting to the logged-out account, a security vulnerability.

Insufficient Data Security for All Sample Applications Storage

Sensitive information such as email addresses, account names, or passwords was stored in ordinary text files without encryption. The relevant information would only be removed after a certain time, posing risks.

In addition, the embedded browser of the Android version of five samples did not block access to files, including Imou, TP-Link, Eufy, EZVIZ, and D-Link, which allowed hackers to access files in the device by implanting the code. In addition, there are five samples of mobile phone applications with excessive access rights, and the data inside the device may be leaked, including Xiaomi Mi (model: MJSXJ09CM), Imou, BotsLab, Eufy, and EZVIZ.

The Council also pointed out that the Android version of BootsLab uses the obsolete Data Encryption Standard (DES) with a shorter key length of 56 bits.

City University Scholar: Only Rely on Manufacturers to Improve Product Quality

Mr. Tsang Kim Fung, Associate Professor of the Department of Electronic Engineering City the University of Hong Kong, believes that some samples have greater network security issues, such as unauthorized server access, insecure data transmission, and insecure data encryption, which may pose risks such as privacy leakage and mobile phone data leakage.

However, the product design and application of the home surveillance cameras are the manufacturer’s responsibility, and consumers can only rely on the manufacturer to improve the quality of the product.

The Council reminds consumers to be vigilant of the following when choosing and using home surveillance cameras.

Consumers should avoid purchasing products without a brand name or from unknown sources. They should open the app and activate the camera only when monitoring is needed. Also, they should set a strong password with no fewer than eight characters. The password should also contain a combination of upper- and lower-case letters, numbers, and special symbols.

The password should be changed regularly, and if the surveillance camera is installed and set up by someone providing door-to-door service, change the password immediately after installation.

In addition, consumers should never use public devices and those without administrator permission to log into an account and avoid using public Wi-Fi networks for monitoring to prevent account data from being recorded and stolen.