Last September, US owners of Wyze security cameras were shocked to discover that their webcam footage was not of their own homes, but of the properties of other camera owners.
“I went to check my cameras and they’re all gone to be replaced with a new one… and this isn’t mine,” said one user on Reddit. It also turned out that this was far from an isolated incident.
Less than six months later the same thing happened againThis time, 13,000 Wyze users received thumbnails from other people’s cameras, allowing their home’s footage to be viewed by other users. The company said at the time that a “sudden surge in demand caused the system to confuse user device IDs and user ID mapping, associating the wrong accounts with some data” – hardly reassuring to users who understandably expect their security camera footage to remain private. .
Wyze isn’t the only one to blame either. In 2018, five European security consultants found a way to access security camera video footage taken by Australian company Swann simply by entering a product’s serial number, without the need for a username and password. And in 2022, security researcher Paul Moore discovered that the camera feed from the Eufy’s Doorbell Dual from Anker could be accessed through a web browser by just knowing the correct URL, no password required!
Government support
Of course, it would be easy to conclude from these various incidents that owning a home security system is simply more trouble than it’s worth. The good news, however, is that things are getting better thanks to new government legislation and greater public awareness about the importance of strong passwords.
In April, Britain introduced the Product Security and Telecommunications Infrastructure Act (PSTI).. This means that all manufacturers of IoT devices (including security cameras, smart TVs, smart fridges etc.) must meet minimum password requirements, adhere to recognised security standards (ETSI EN 303 645 and ISO/IEC29147) and inform consumers of the minimum period for which security updates will be provided for each device. Failure to do so could result in a fine of £10 million or 4% of global turnover.
Meanwhile, in the US the Connectivity Standards Alliance (the group behind the Matter smart home standard) recently introduced the Security specification for IoT devices for smart consumer devices including light bulbs, switches, thermostats and cameras. Developed by nearly 200 member companies including Amazon, Google, Schneider Electric and Signify (Philips Hue and WiZ), the specification imposes several requirements on IoT devices, including a unique ID, no hardcoded default passwords, secure storage of sensitive data and software updates during the product support period. Devices that meet these requirements can use the new Product Security Verified (PSV) marking. Last year, the US government also introduced its own government Cyber Trustmark for products that meet certain security standards set out in a report by the National Institute of Standards and Technologylogy (NIST).
“It’s still early days and only a handful of devices have been certified so far, but the idea is that consumers can check in a hardware store to see if the quality mark has been issued and also scan a QR code on the device to see which tests they have endured,” said Chris LaPré, CSA chief technology officer. TechRadar. “Online the hope is that retailers such as Amazon can have a checkbox to only display items that meet the standard.”
Improving compliance
Of course, legislation is one thing, enforcement is another. In Britain: Consumers Association Which? recently reported that many manufacturers were still not complying with the new PSTI legislation, especially when it came to informing customers about how long security updates would remain available for purchased products.
Similarly, Mr LaPré admits that there is still a problem with the US home security “ecosystem”, particularly (though, as we saw earlier, not exclusively) cheap Chinese cameras. “If you go to Amazon and say ‘give me a cheap IP camera’ and you just buy it, plug it in and follow the instructions, you’re likely to get hacked within a few minutes,” he adds. Andy Whaley, Senior Technical Director at Norwegian cybersecurity company Promon, agrees. “We’ve seen before how Chinese electronics manufacturer Anker failed to encrypt the camera feed on one of its smart home security devices. This neglect is a good example of the trade-off between affordability and security.”
According to Richard Hughes, Head of Technical Cyber, A&O Cyber, buying from a reputable brand is always a good idea. “If you buy products from a company like ADT or Amazon Ring Security, you would expect that they have taken the security of their devices into account. But if you buy devices from an unknown brand, chances are they haven’t allocated resources to ensure a vulnerability-free product.”
And while it may be ironic to think of the best home security cameras actually increase your security risk, they should be “configured appropriately initially, with strong passwords and multi-factor authentication where available to control access,” explains Steven Furnell, IEEE senior member and professor of cybersecurity at the University of Nottingham. Especially important is to protect the devices that run home security apps, including mobile phones and laptops.
So should you buy a home security system? It certainly isn’t without risk, but there has been a definite shift toward IoT devices that ‘safe-by-design’There are also some simple steps for it how to keep your smart home safe that can help make a difference.
At the same time, governments and standards bodies are working to improve basic standards. Consumers can also do their part by deploying strong passwords and ensuring the latest security updates are installed on all their IoT devices, and opting for approved products that display the latest certification – once they become widely available.