Last September, owners of Wyze security cameras in the US were shocked to discover that instead of watching footage from their own homes on their webcams, they were actually looking into other camera owners’ properties.
“I went to check my cameras and they’re all gone to be replaced with new ones… and this one isn’t mine,” said one user on Reddit. As it turned out, this was far from an isolated incident either.
Less than six months later the same thing happened again, this time 13,000 Wyze users received thumbnails from other people’s cameras that allowed other users to view footage from their home. The company said at the time that “a sudden surge in demand caused the system to mix up user device IDs and user ID mappings, linking the wrong accounts with some data” — hardly comforting to users who understandably expect their security camera footage to remain private. .
Wyze isn’t the only culprit either. In 2018, five European security consultants found a way to access video footage from security cameras manufactured by Australian company Swann by simply entering the product serial number without the need for a username and password. And in 2022 security researcher Paul Moore found that Eufy’s Doorbell Dual Camera Source owned by Anker can be accessed through a web browser, just know the right URL without needing any password!
Government support
Of course, it would be easy to conclude from these various incidents that owning a home security system is simply more trouble than it’s worth. The good news, however, is that the situation is improving thanks to new government legislation and greater public awareness of the importance of strong passwords.
In April, the United Kingdom introduced Product Security and Telecommunications Infrastructure (PSTI) Act.. This means that all manufacturers of IoT devices (including security cameras, smart TVs, smart refrigerators, etc.) must meet minimum password requirements, comply with recognized security standards (ETSI EN 303 645 and ISO/IEC29147) and inform consumers of a minimum period, which security updates are provided for each device. Failure to do so could result in a fine of £10m or 4% of worldwide revenue.
Meanwhile, in the US, Connectivity Standards Alliance (the group behind the Matter smart home standard) recently introduced IoT device security specification for smart consumer devices, including light bulbs, switches, thermostats and cameras. Developed by nearly 200 member companies, including Amazon, Google, Schneider Electric and Signify (Philips Hue and WiZ), the specification sets out several requirements for IoT devices, including a unique ID, no hard-coded default passwords, secure storage of sensitive data and software updates. during the product support period. Devices meeting these requirements will be able to carry CSA news Product Security Verified (PSV) mark. Last year, the US government also introduced its own Cyber Trust Mark for products meeting certain safety standards specified in the organization’s report National Institute of Standards and Technologylogic (NIST).
“It’s still early days and only a few devices have been certified so far, but the idea is that hardware consumers will be able to check the brand and also scan the QR code on the device to see which tests they’ve done. passed,” said Chris LaPré, CSA Chief Technology Officer TechRadar. “Our hope is that on the Internet, retailers like Amazon could have a check box to list only items that meet the standard.”
Improving compliance
Of course, legislation is one thing and enforcement is another. In Great Britain, consumer associations Who? recently reported that many manufacturers still did not comply with the new PSTI legislation, particularly when it came to informing customers of how long security updates would be provided for purchased products.
Similarly, in the US, Mr LaPré admits there is still a problem with the home security “ecosystem”, particularly (though, as we saw earlier, not exclusively) cheap Chinese cameras. “If you go to Amazon and say ‘give me a cheap IP camera’ and you just buy it, plug it in and follow the instructions, you’re probably going to get hacked in minutes,” he adds. Andy Whaley, CTO of Norwegian cybersecurity firm Promon, agrees. “We’ve previously seen Chinese electronics manufacturer Anker fail to encrypt a camera on one of its smart home security devices. This neglect is a prime example of the trade-off between affordability and security.”
According to Richard Hughes, Head of Technical Cyber, A&O Cyber, buying from a reputable brand is always a good idea. “If you buy products from a company like ADT or Amazon Ring Security, then you would expect them to consider the security posture of their devices. But if you buy a device from some unknown brand, then it is highly likely that they will not have any resources allocated to ensure a product without vulnerabilities.”
And while it may be ironic to think about it best home security cameras They actually increase your security risk, but they need to be “configured appropriately in the first place, with strong passwords and where multi-factor authentication is available to control access,” explains Steven Furnell, IEEE Senior Fellow and Professor of Cyber Security at the University of Nottingham. . It is especially important to protect devices that run home security applications, including mobile phones and laptops.
So should you get a home security system? It’s certainly not without risk, but there has been a definite shift to IoT devices that do ‘secure-by-design’. There are also some simple steps how to secure your smart home that can help change.
At the same time, governments and standardization bodies are working to improve basic standards. Consumers can also play their part by deploying strong passwords and ensuring the latest security updates are installed on all their IoT devices, as well as opting for approved products with the latest certification – once they are widely available.