“Smart homes” have become increasingly popular in recent years, with many households installing home surveillance cameras. Not only can users check on family members anytime, anywhere using smart devices and communicate with them remotely, it can also record videos, making home surveillance cameras an important smart device for home security. As surveillance cameras operate through internet connections, cyber security is crucial, or else videos and sensitive personal data may be leaked, posing privacy and other security risks. The Consumer Council tested the cyber security of 10 home surveillance cameras models on the market and found that only 1 model complied with the European cyber security standard, while the other 9 posed various cyber security concerns, including transmission of videos and data without encryption, and failure of defending against “brute-force attacks” by hackers to crack passwords, etc. In addition, security of user data storage was found to be inadequate in many apps, with half of the tested models able to access the user files stored in smart devices through Android apps, and some apps even requested excessive permission. The Council urges manufacturers to improve the cyber security of products, such as introducing anti brute-force attack designs, and data encryption of video and data. Consumers should also set strong passwords for their surveillance cameras and change them regularly, as well as making good use of firewalls and network monitoring functions.
The 10 models of home surveillance cameras tested were priced between $269 and $1,888, all providing two-way audio, motion detection, night vision, Amazon Alexa and Google Assistant voice control. The Council commissioned an independent laboratory to test the cyber security of these 10 models with reference to the European Standards ETSI EN 303 645 and the industry standard OWASP MASVS in areas including protection against attack, security of data transmission and apps, security of data storage, and hardware design.
5 Models Transmitted Videos or Data Without Encryption Exposing Security Flaw for Hackers
Live video streaming to mobile device through the app allows users to keep track of the real-time status. The test revealed that the live streaming of 4 tested models did not adopt Secure Real-Time Transport Protocol (SRTP) which could provide data encryption and message authentication, but instead used the less secure Real-Time Transport Protocol (RTP). The video data was transmitted without encryption, making it vulnerable to hackers who could easily access the video content. When connecting to the user’s Wi-Fi network, another model adopted the Hypertext Transfer Protocol (HTTP) for data transmission without encrypting the sensitive data, allowing hackers to find the router’s credential in plain text files. If manufacturers switch to the more secureHypertext Transfer Security Protocol (HTTPS), it could provide better privacy protection to users.
The longer and more complex a password is, the more time it would take hackers to crack. The test revealed that during live video streaming of 3 models, the hacker could launch “brute-force attacks” by using automatic tools and programme to crack the password, which used trial and error through all possible password combinations. Among them, the default password of 2 models was only 6 digits or characters, the password strength of which is extremely weak and easy for hackers to crack and steal videos. Besides, 1 other surveillance camera allowed unlimited login attempts while the mobile app is in use, so hackers could repeatedly try to steal account information.
The Council advises manufacturers to introduce anti brute-force attacks design for live video streaming and account login, such as using multi-factor authentication, limiting login attempts, and locking the account automatically after multiple failed logins from the same IP address within a short period of time, to prevent further attacks by hackers. Manufacturers should also improve cyber security by increasing the password length and complexity in the default password.
Old Session Keys of 3 Models Still Valid when Re-logging into Account
Each time the user logs in and connects to their surveillance cameras, a session key which is equivalent to a temporary password will be used for encryption and decryption when transmitting information and data. The session key should expire after logging out and a new session key will be used for the new login. However, test results revealed that the session key from the last login of 3 models was still valid for re-logging in. If a hacker successfully stole the old session key, they could connect into the camera and pry into a room’s video. Among these 3 models, 1 even could watch the live video of the surveillance camera after logging out or logging in to another account through the app installed in the same phone, indicating a security vulnerability.
Inadequate Data Storage Security of Mobile App Imposes Risks of Sensitive Data Leak
Test results also revealed that the security of in-app data storage for all 10 models was inadequate. For example, sensitive data such as email address, account ID or passwords were stored in plain text files, which were not protected with encryption, and the relevant data would only be deleted after a certain period, exposing a risk for hacking.
Furthermore, some surveillance camera apps used WebView that allowed users to browse the webpage directly, but the Android app of 5 models did not block the permission of accessing the files, so hackers could access files stored in devices by injecting script. Moreover, the app of 5 models requested excessive permission, with some accessing quite sensitive data, such as the device’s calendar, account information, and apps being used in real time, which could lead to device data leaks. The Council reminds the public to pay heed to the requested permissions for accessing user data before installing and using surveillance camera apps, because once the download and installation of the app is complete, the app could access the relevant data without further consent from the user, and users will have no knowledge of how and when such data is used by the app.
Domestic Helpers and Visitors Should Be Informed About Use of Surveillance Cameras
According to the Guidelines on CCTV Surveillance Practices and Use of Drones by the Office of the Privacy Commissioner for Personal Data (PCPD), if the surveillance camera is installed at home, the user should inform all family members including domestic helpers, and all visitors, as well as assess the scope and extent of monitoring. Consumers should also fully understand PCPD’s privacy guidance on Monitoring and Personal Data Privacy at Work: Points to Note for Employers of Domestic Helpers, including assessing the necessity of monitoring, the availability of less privacy-intrusive alternatives, the reasonableness of video monitoring, openness in informing employees of monitoring, and proper handling of video records, etc.
Countries such as Singapore, Germany, Finland, and the United States have already introduced Cyber Security Labelling Schemes for Internet of Things (IoT) devices. The European Union has added network and communications security requirements to the Radio Equipment Directive which will become mandatory in August 2024, and the United Kingdom is studying to introduce legislation. The Council recommends that the Hong Kong SAR Government make reference to the practices in other jurisdictions, and introduce relevant schemes or standards suitable for Hong Kong to promote the cyber security of local IoT devices.
The Council reminds consumers to be vigilant of the following when choosing and using home surveillance cameras:
- Avoid purchasing products without a brand name or from unknown sources, as not only is the quality not guaranteed, but cyber security may also be inadequate;
- Set a strong password when creating an account, for example, with no fewer than 8 characters, and a combination of upper- and lower-case letters, numbers and special symbols, and they should be changed regularly to prevent easy cracking. If the surveillance camera is installed and set up by someone providing door-to-door service, change the password immediately after installation;
- It is recommended that the app be opened and camera be activated only when monitoring is needed, and should be turned off at all other times. In addition, consumers should access the security camera and view live video with personal smart devices, never use public devices and those without administrator permission to log into an account, and avoid using public Wi-Fi networks for monitoring to prevent account data from being recorded and stolen;
- Make good use of functions such as firewalls, network monitoring and activity logs, and check logs frequently for suspicious activities. Check and update the firmware regularly to maintain product performance and fix security vulnerabilities;
- In case of any suspicion of hacking or injecting script into camera systems, it is recommended to restore the official firmware and reset product to factory setting, as well as creating a new account with a new password during reinstallation.
Download the article (Chinese only): https://ccchoice.org/557homesurveillancecameras
Consumer Council reserves all its right (including copyright) in respect of CHOICE magazine and Online CHOICE.