Home surveillance cameras pose privacy risks, data leakage by hacking


The Hong Kong Consumer Council tested the cybersecurity of ten home security cameras on the market and found that nine out of ten had numerous security vulnerabilities. Only one met the European cybersecurity standard, showing how porous or easy access threat actors could gain if they targeted the users of the nine substandard surveillance cameras.

Today, smart homes have become popular thanks to technology. Many households have installed surveillance cameras that are integrated with their smartphones via an internet connection, allowing them to check on their family and property at any time and record video remotely. The internet connection and integration of surveillance cameras with smartphones requires strong cybersecurity to prevent the leakage of videos or sensitive personal data.

The Consumer Council commissioned an Independent laboratory to test the cyber security and hardware designs of models from Arlo, Xiaomi, Imou, TP-Link, BotsLab, Eufy, EZVIZ, Spotcam, D-link, and Reolink with reference to the European Standards ETSI EN 303 645 and the industry-standard OWASP MASVS. All models provide motion detection, night vision, two-way audio, Amazon Alexa, and Google Assistant voice control and here are their findings:

  • 5 models do not have encrypted data transmission: meaning that these devices failed to use Secure Real-Time Transport Protocol (SRTP) which provides data encryption and message authentication in live streaming. Instead, they used the less secured and unencrypted Real-Time Transport Protocol (RTP)
  • 4 models failed to defend against Brute-force attacks: an attacker can try out many possible password combinations using automated tools and programs to gain access to the device. The Council mentioned that one of the samples name SpotCam (model: Solo 2), has no limit on how many times a hacker can log in with a mobile phone application to obtain account information
  • 3 models permit the use of temporal passwords to log into the account multiple times: accessing the camera with a smartphone requires a conversation key similar to a temporal password which expires after disconnection. The Council found out that users can use the initial conversation key to log in again after logging out, which is not supposed to be so
  • the 9 sub-standard models had insufficient data security: users' sensitive information, such as email addresses, account names, or passwords were stored in plain text files without encryption. Some removed the relevant information after some time, giving threat actors time to access the information. The Council also mentioned that 5 models did not block access in their app, which could allow hackers to access the device of the user by implanting a code.

Other findings include problems with the outdated Data Encryption Standard (DES), problems with live video not continuing after logout, and weak passwords. The Council advised manufacturers to improve the quality of their products to meet the European standard, and reminded users to be aware of the shortcomings of these security cameras and to double their internet security measures.