Over 100,000 wireless active cameras in UK businesses & homes may be vulnerable to hackers because of a combination of security flaws, an investigation has discovered.
Wireless cameras that use the ‘CamHi app’ such as popular marketplace brands Accfly, ieGeek and SV3C, may be allowing spying on the users’ home, a Which? investigation has found.
Attackers could spy on homes, steal data & target other devices, the investigation has found.
Dr Kiri Addison, Head of Data Science for Threat Intelligence & Overwatch at Mimecast observed “IoT devices can provide attackers with an easy route into your home network. With many of us working from home now, this poses an increased risk to businesses, due to the opportunity for an attacker to more easily move from an employee’s personal network to their employer’s.
“Apart from gaining access to the network, internet enabled security cameras can be exploited in a number of other ways, including shoulder surfing to gain information such as credentials, monitoring victims & collating information that can be used to create convincing phishing attacks and cameras with microphones can be used to spy on meetings & gain sensitive information.”
Addison further outlined that these increased threats need businesses to provide their workforce with awareness training regularly, to ensure best practice is observed & staff are vigilant.
Jake Moore, a Cyber-security Specialist at ESET commented: “The massive growth in IoT devices placed in the home & office is the perfect opportunity for cyber-criminals to make money from particular types of malware. IoT devices are far too often packaged up with weak, if any built-in security features, so the public are on the back foot from the outset. Security updates also tend to be infrequent which puts further risks on the owner.
“Updates and 2FA are critical but you may need to ask yourself if you really need your security camera online 24/7. If the cameras still record on the premise, they may not need to be online at all, preventing the risk of an attack altogether.”
Circa 12,000 have been activated in UK homes in the last 3 months, with many still available to buy online.
The National Cyber Security Centre (NCSC) published guidance in March 2020 on safeguarding privacy & security when using a wireless camera.
Boris Cipot, Senior Security Engineer at Synopsys, explained “We use IoT devices and its technology as if it is already matured. Yet, we, as users and consumers of this useful & exciting technology, need to realise that it is still evolving.”
“It has not yet reached the maturity level needed to serve the masses with stability & most importantly, security. We need to proactively verify that our devices are secure. Hopefully, in the future, security will be not only built-in but also mandatory before a device can hit store shelves.”
Cipot commented that the introduction of a standard such as the UK legislation on IoT cyber-security can help in providing the needed oversight, stability as well as transparency when it comes to creating processes & protocols during product development.
He further observed “It also allows for the identification of any missteps, & to adapt, evolve & mature the technology to its best and, in this case, safest version.
“This is an important step when talking about a technology that can, on one hand, be highly advantageous, but also threatening.”
Which? worked with Paul Marrapese, a US-based security researcher, to identify over 3.5 million cameras worldwide that are still at risk. Most of the cameras are in Asia, but more than 700,000 are across Europe, incl. over 100,000 in the UK.
The design of the cameras & the software means a hacker could ‘potentially’ access the video stream of a camera or microphone, steal or change a password, access the home-location, or add a camera to botnet.
The known brands that have potentially vulnerable cameras include Alptop, Besdersec, COOAU, CPVAN, Ctronics, Dericam, Jennov, LEFTEK, Luowice, QZT and Tenvis. However, according to Which?, any wireless camera that uses the CamHi app with a specific type of Unique Identification Number (UID) could be compromised.