Thousands of households across the UK are vulnerable to hackers due to security flaws found in wireless cameras, according to Which?
An investigation conducted by the consumer rights organisation found that more than 100,000 cameras active in UK homes contain a combination of serious security flaws.
The vulnerabilities, which affect dozens of camera brands manufactured by China-based firm HiChip, allow cybercriminals to pinpoint the exact location of a user’s home and target other household devices linked to a broadband network.
HiChip devices are sold at low prices on several online marketplaces, including Amazon, eBay and Wish.
If a hacker were to exploit the flaws, they could potentially access live footage and speak through the camera’s microphone, researchers revealed.
The security flaws raise serious concerns for households across the country and Which? said consumers should stop using their camera if they suspect it has been affected.
“People may believe they are picking up a bargain wireless camera that can bring a sense of security – when in fact they could be unwittingly inviting hackers into their home or workplace,” said Kate Bevan, Computing Editor at Which?
“Anyone who has one of these cameras in their home should turn it off and stop using it immediately, while all consumers should be careful when shopping around – cheap isn’t always cheerful, especially when it comes to unknown brands,” she added.
Households at Risk
Weak Unique Identification numbers (UID) were pinpointed as the source of the issue with many cameras. These are often found on stickers on the side of the cameras, which can be easily discovered and targeted by cybercriminals.
Using these unique identifiers, hackers could target users of the CamHi app, which is used by millions of people to view camera footage. When a user connects the app to their home camera, an attacker is able to steal usernames and passwords and use the stolen information to gain full access to a device – all without the user knowing.
Which? worked closely with US-based security expert, Paul Marrapese as part of the investigation.
Tests were conducted on five wireless cameras manufactured by Accfly, Elite Security, ieGeek, Genbolt and SV3C. All of the devices were purchased from Amazon and were found to have serious flaws.
Concerningly, the investigation found that 47 wireless camera brands may contain the security flaw, and 32 of these were currently or previously sold in the UK.
Bill Buchanan OBE, Professor of Cryptography at Edinburgh Napier University, warned that many consumers fail to realise how vulnerable their devices can be and urged homeowners to be vigilant.
“These ‘white-label’ CCTV cameras have been known about for a while, and many of the labelled brands are just the same camera underneath. Many of the cameras we found to have simple default passwords, and these were often not changed. There is thus often a balance between usability and security, and usability often wins,” he said.
“Many people often do not realise that once a device is connected to the internet, it can be easily found by online tools such as Shodan,” he added.
To ensure safety, devices should block logins after three incorrect attempts to prevent brute force methods to discover a CCTV’s password; an attack method which hackers often use to great success on devices such as these.
Many did not set a limit, however, and a device could be bombarded with common passwords until the correct login credentials are established.
- How smart cities are fighting the Covid-19 pandemic
- Greater support needed to boost female representation in cybersecurity
- How can parents and tech firms protect children amidst increased screen time
Buchanan has investigated home security cameras and web-connected devices previously. On a number of occasions, the vulnerabilities uncovered were highly concerning.
On one occasion, he explains, a web-connected pet feeder was found to be sending publicly streamable video content, and all that was required to access this feed was the IP address of the broadband connection.
A criminal with the right tools and expertise could easily access this live stream and establish if a person was home.
“So, when you are away on your holidays it might be nice to see your pet and watch them feeding themselves, it might be an opportunity for a burglar to observe that there is no-one home,” Buchanan warned.