More than 100,000 hackable cameras are active in UK homes due to a combination of serious security flaws with the devices themselves and a popular app many of them use, a new Which? investigation has found.
The flaws, which affect dozens of camera brands made by the China-based company HiChip and sold cheaply on online marketplaces like Amazon, eBay, Wish and AliExpress, allow hackers to find the exact location of the user’s home and target other devices linked to their home broadband network.
If these vulnerabilities were exploited, the hacker could even access live footage and speak via the camera’s microphone – a serious concern for many people who use these devices as baby monitors connected via the internet.
Worryingly, these attacks can still be exploited even if users change their password.
Which? is advising anyone who believes their camera could be affected to stop using it immediately. The consumer watchdog is warning people against buying products with this security flaw, and believes that such devices should not be manufactured and put on sale.
The issue stems from the weak Unique Identification numbers (UID), often found on a sticker on the side of the cameras, which can be easily discovered and targeted by hackers.
Using the UID numbers, hackers can target users of the popular CamHi app – used by millions of people to view camera footage – when they connect to their camera. The attacker can then steal the device’s username and password, and use the stolen credentials to gain full access to the camera without the user’s knowledge.
Which?, working with US-based security expert Paul Marrapese, tested and verified this security flaw in five wireless cameras from Accfly, Elite Security, ieGeek, Genbolt and SV3C – all of which were purchased from Amazon and available on other online marketplaces.
In total, 47 wireless camera brands worldwide have been identified as potentially having this security flaw, including 32 currently or previously sold in the UK. These brands include Alptop, Besdersec, COOAU, CPVAN, Ctronics, Dericam, Jennov, LEFTEK, Luowice, QZT and Tenvis. But Which? believes any wireless camera that uses the CamHi app could be compromised by these flaws.
Which? shared its findings with HiChip, the company behind many of these camera brands and the CamHi app, which is based in Shenzhen – dubbed “China’s Silicon Valley” – due to its huge market in electronics products.
The company maintained its cameras have “low-security risk”, but pledged to work with Which? and a US-based security expert on improvements. However, the consumer champion has been unable to verify that the proposed updates will fix any of these vulnerabilities. Which? also believes that fundamental flaws in the design and security of existing cameras mean they remain at risk in consumers’ homes.
Around two-thirds (23) of the brands sold in the UK are currently available at Amazon UK. Which? reported its concerns and asked Amazon to remove listings while investigating the risk they pose. Amazon has so far declined to remove any from its site.
More than half (19) of the brands are on sale on eBay who maintained that the devices comply with their existing policies and were safe to use, but encouraged users to take appropriate security precautions.
Six of the cameras can be bought on AliExpress who told Which? it takes “product safety very seriously” and has rules that require third-party merchants to comply with local laws and regulations. Only four camera brands were available on Wish.com but it said it has alerted sellers who list these cameras on its website to investigate Which?’s findings urgently before it takes appropriate action.
In January, the Department of Digital, Media, Culture and Sports (DCMS) announced plans to introduce new laws requiring smart devices sold in the UK to adhere to security requirements. Worryingly, none of the brands Which? tested would meet these requirements.
The government has begun taking the first critical steps to ensure connected devices are safe and meet minimum security requirements before they go on sale. However, just over 12,000 of these security-risk cameras have already been activated in UK homes since March.
Kate Bevan, Which? Computing Editor, said:
“People may believe they are picking up a bargain wireless camera that can bring a sense of security – when in fact they could be unwittingly inviting hackers into their home or workplace.
“Anyone who has one of these cameras in their home should turn it off and stop using it immediately, while all consumers should be careful when shopping around – cheap isn’t always cheerful, especially when it comes to unknown brands.
“The government must push forward with its plans for legislation to require connected devices to meet certain security standards and ensure this is backed by strong enforcement.”
Right of Reply
AliExpress said: “AliExpress takes product safety very seriously. We have strict platform rules that require all third-party merchants to comply with all applicable local laws and regulations. We work hard to ensure that consumers are protected on our platform.”
Amazon declined to comment.
eBay said: “These cameras that Which? is concerned might put users at risk are all legal to sell in the UK, and comply with our existing policies. These devices can be used safely if used in a network without an internet connection, for example as baby monitors.
“We encourage people who purchase any wireless camera product on eBay to take appropriate security precautions, in the same way they would with any smart home devices, online email or social media account.
“Sellers on eBay have to comply with any applicable law. So if the UK Government introduces new regulations in this area, sellers will of course have to comply with them. Any listings on our platform that do not comply with UK regulations or that violate our policies will be removed with appropriate enforcement action taken against sellers.”
HiChip said: “HiChip has focused on IP camera R&D for more than 10 years and continues to improve the security of the cameras. We encrypt all the commands and data with AES128 between the camera and the APP, above the P2P transferring layer. So our cameras have very low security risk about the end user’s privacy.”
HiChip is working with Which? and Paul Marrapese to “continue to make our cameras more safe”. At the time of writing, Hichip had sent new camera firmware to us for verification.
Wish.com said: “We were alarmed to hear of reports that a small batch of surveillance cameras that use the ‘CamHi’ app may be vulnerable to hacking. We have alerted the sellers who currently list these items and requested they look into this as a matter of urgency, before taking any appropriate remedial action.”
How to improve wireless security in the home
If you’re worried about a camera from another brand that you already have in your home, it’s worth considering some simple steps for peace of mind.
Change any passwords: Many wireless cameras have weak default passwords, such as ‘admin’. Set a secure password connecting three random words that you’ll be able to remember.
Keep your camera updated. Not only does this keep your devices secure, but it often adds new features and other improvements.
If in doubt, unplug it or turn it off. No one wants to have to worry about someone snooping in on their home, so deactivate the camera if you’re at all concerned. If you do not use the feature that lets you remotely access the camera from the internet, it is recommended you disable it.
When shopping for a new camera, be wary of any listed that use the CamHi app. You can usually find this by doing a CTRL F search for CamHi. Also, be wary of cameras (and any IoT devices) that use a “peer-to-peer” (usually listed as P2P) technology.