Last September, owners of Wyze security cameras in the US were shocked to discover that rather than viewing footage from their own homes on their webcam feeds, they were actually peering into the properties of other camera owners.
“Went to check on my cameras and they are all gone to be replaced with a new one…and this isn’t mine,” said one user on Reddit. As it turned out, this was far from an isolated incident, too.
Less than six months later the same thing happened again, this time 13,000 Wyze users received thumbnails from other people’s cameras which allowed their home’s footage to be viewed by other users. The company said at the time a ‘sudden surge in demand caused the system to mix up user device IDs and user ID mapping, thereby linking the wrong accounts with some data’ – hardly reassuring from users who understandably expect their security camera footage to remain private.
Nor is Wyze the only culprit. In 2018, five European security consultants found a way to access video footage from security cameras made by Australian company Swann just by inputting a product serial number without any need for a username and password. And in 2022, security researcher Paul Moore discovered that the Anker-owned Eufy’s Doorbell Dual camera feed could be accessed by a web browser just by knowing the right URL without needing any password at all!
Government backing
Of course, it would be easy to conclude from these various incidents that owning a home security system is simply more trouble than it’s worth. The good news is though that things are getting better thanks to new government legislation and a greater awareness among the public about the importance of strong passwords.
In April, the UK introduced the Product Security and Telecommunications Infrastructure (PSTI) Act. This means that all manufacturers of IoT devices (including security cameras, smart TVs, smart fridges etc.) must meet minimum password requirements, adhere to recognised security standards (ETSI EN 303 645 and ISO/IEC29147) and inform consumers about the minimum period that security updates are provided for each device. Failure to do so could result in a £10 million fine or 4% of worldwide revenue.
Meanwhile, in the US, the Connectivity Standards Alliance (the group behind the Matter smart home standard) recently introduced the IoT Device Security Specification for smart consumer devices, including lightbulbs, switches, thermostats and cameras. Developed by nearly 200 member companies, including Amazon, Google, Shneider Electric and Signify (Philips Hue and WiZ), the specification stipulates several requirements for IoT devices including having a unique ID, no hardcoded default passwords, secure storage of sensitive data and software updates during the product’s support period. Devices meeting these requirements will be able to carry the CSA’s new Product Security Verified (PSV) mark. Last year the US government also introduced its own Cyber Trust Mark for products meeting certain security standards outlined in a report by the National Institute of Standards and Technology (NIST).
“It’s still early days and only a handful of devices have passed the certification so far, but the idea is that consumers in a hardware store will be able to check for the mark and also scan a QR code on the device to see which tests they have passed,” Chris LaPré, Head of Technology for the CSA told TechRadar. “Online it’s hoped that retailers like Amazon could have a checkbox to list only items that have met the standard.”
Improving compliance
Of course, legislation is one thing, enforcement quite another. In the UK, consumer association Which? recently reported that many manufacturers were still failing to comply with the new PSTI legislation particularly when it comes to informing customers about how long security updates would be provided for purchased products.
Similarly in the US, Mr LaPré admits there remains a problem with the home security ‘ecosystem’, particularly (though, as we’ve seen earlier, not exclusively) low-price Chinese cameras. “If you go on Amazon and say ‘give me a cheap IP camera’ and you just buy it, plug it in, and follow the directions you are probably going to be hacked in a couple of minutes,” he adds. Andy Whaley, Senior Technical Director of Norwegian cybersecurity firm Promon agrees. “We’ve previously seen how Chinese electronics manufacturer Anker failed to encrypt the camera feed on one of its smart home security devices. This neglect is a prime example of the trade-off between affordability and security.”
According to Richard Hughes, Head of Technical Cyber, A&O Cyber, buying from a reputable brand is always a good idea. “If you purchase products from a company such as ADT or Amazon Ring Security, then you would expect they will have considered the security posture of their devices. But if you purchase devices from some unknown brand then it’s highly likely they will not have allocated any resources to ensure a vulnerability-free product.”
And while it is perhaps ironic to think of the best home security cameras actually increasing your security risk, they do need to be ‘appropriately configured in the first instance, with strong passwords and if available multi-factor authentication to control access,’ explains Steven Furnell, IEEE senior member and professor of cybersecurity at the University of Nottingham. Particularly important is to protect the devices on which home security apps operate, including mobile phones and laptops.
So should you buy a home security system? Certainly it’s not without risk, but there has been a definite shift to IoT devices that are ‘secure-by-design’. There are also some simple steps for how to keep your smart home secure which can help make a difference.
At the same time governments and standards bodies are working to improve basic standards. Consumers too can play their part by deploying strong passwords and ensuring the latest security updates are installed on all their IoT devices, as well as by opting for approved products that display the latest certification – once they’re widely available.