Last September, Wyze security camera owners in the US were shocked to discover that instead of viewing footage from their homes on their webcam feeds, they were actually viewing on other camera owners’ properties.
“I went to check my cameras and they’re all gone to be replaced with a new one … and it’s not mine,” said one user on Reddit. As it turned out, this was far from an isolated incident.
Less than six months later the same thing happened again, this time 13,000 Wyze users received thumbnails from other people’s cameras, which allowed footage of their home to be seen by other users. The company said at the time that a ‘surge in demand caused the system to mix up user device IDs and the mapping of user IDs, thereby associating the wrong accounts with some data’ – hardly assured by users who expect their security camera footage to remain private. .
Wyze isn’t the only culprit either. In 2018, five European security consultants found a way to access security camera footage taken by Australian company Swann by simply entering a product serial number without any need for a username and password. And in 2022, security researcher Paul Moore discovered that the Anker-owned Eufy’s Doorbell dual camera feed could be accessed from a web browser simply by knowing the correct URL without needing any passwords at all!
Government support
Of course, it would be easy to conclude from these various incidents that owning a home security system is simply more trouble than it’s worth. The good news is that things are improving thanks to new government legislation and a greater public awareness of the importance of strong passwords.
In April, the UK introduced Product Security and Telecommunications Infrastructure (PSTI) Act.. This means that all manufacturers of IoT devices (including security cameras, smart TVs, smart refrigerators, etc.) must meet minimum password requirements, adhere to recognized security standards (ETSI EN 303 645 and ISO /IEC29147) and inform consumers of the minimum period that security updates are provided for each device. Failure to do so could result in a fine of £10m or 4% of worldwide revenue.
Meanwhile, in the US, Connectivity Standards Alliance (the group behind the smart home standard Matter) recently introduced IoT device security specification for smart consumer devices, including light bulbs, switches, thermostats and cameras. Developed by nearly 200 member companies, including Amazon, Google, Schneider Electric and Signify (Philips Hue and WiZ), the specification defines several requirements for IoT devices including having a unique ID, no hard-coded default passwords, secure storage sensitive data and software updates. during the product support period. Devices that meet these requirements will be able to maintain CSA updates Product Safety Verified (PSV) sign. Last year the US government also introduced its own Brand of Cyber Trust for products that meet certain safety standards described in a report by National Institute of Standards and Technology (NIST).
“It’s still early and only a handful of devices have passed certification so far, but the idea is that consumers in a hardware store will be able to check for the mark and also scan a QR code on the device to see that what tests they have passed,” said Chris LaPré, Chief Technology Officer for CSA TechRadar. “The hope online is that retailers like Amazon can have a checkbox to only list items that have met the standard.”
Improving compliance
Of course, legislation is one thing, implementation is another. In the UK, the consumer association Which one? recently reported that many manufacturers were still not compliant with the new PSTI legislation, particularly when it came to informing customers how long security updates would be provided for purchased products.
Similarly in the US, Mr LaPré admits there remains a problem with the home security ‘ecosystem’, particularly (though, as we’ve seen before, not exclusively) cheap Chinese cameras. “If you go to Amazon and say ‘give me a free IP camera’ and you just buy it, plug it in and follow the instructions you’ll probably be hacked within minutes,” he adds. Andy Whaley, Senior CTO of Norwegian cyber security firm Promon agrees. “We’ve previously seen how Chinese electronics maker Anker failed to encrypt the camera feed on one of its smart home security devices. This neglect is a prime example of the trade-off between affordability and safety.”
According to Richard Hughes, Head of Technical Cyber, A&O Cyber, buying from a reputable brand is always a good idea. “If you buy products from a company like ADT or Amazon Ring Security, then you would expect them to have considered the security posture of their devices. But if you buy equipment from some unknown brand, then it is very likely that they have not allocated any resources to ensure a product without vulnerabilities.”
And while it’s probably ironic to think about it best home security cameras actually increasing your security risk, they should be “configured properly in the first place, with strong passwords and if there’s multi-factor authentication to control access,” explains Steven Furnell, IEEE senior fellow and professor of cyber security at the University of Nottingham. . Especially important is the protection of devices running home security applications, including mobile phones and laptops.
So, should you buy a home security system? It’s certainly not without risk, but there has been a definite shift in IoT devices that are ‘secure by design’. There are also some simple steps to how to keep your smart home safe which can help make a difference.
At the same time governments and standards bodies are working to improve basic standards. Consumers can also play their part by setting strong passwords and ensuring the latest security updates are installed on all their IoT devices, as well as choosing approved products that display the latest certification – as they be widely available.