Posted on June 13, 2020 at 10:18 AM
Security research firm Which recently investigated and discovered a vulnerability that can compromise more than 100,000 indoor security cameras in U.K. businesses and homes.
The research team said the owners of the cameras using the CamHi app may be vulnerable to spying by cybercriminals, apart from the risk of having other devices targeted or their data stolen.
Although many cameras have been taken out from sale, a lot more are still available from online marketplaces like Wish.com, eBay, and Amazon.
More than 12,000 have been activated in UK homes within the past three months alone. The research team at Which says there are about 3.5 million of these types of cameras in use over the world, with the majority of them used in Asia.
IoT devices are always designed with poor security
While responding to the findings, cybersecurity experts at ESET, Jake Moore, pointed out that cybercriminals are taking advantage of the massive growth of IoT devices placed in offices and homes. Cybercriminals are now taking advantage to make money from certain types of malware.
These IoT devices are always designed with frail security features, keeping the public on the back foot from the beginning. And since security updates are not frequent enough, it gives cybercriminals ample time to launch their attack and plant malware.
He also said the major risk is for those cameras online. “Updates and 2FA are critical but you may need to ask yourself if you really need your security camera online 24/7,” he said.
Since the cameras are recording on the premise, there is no need to connect them online because it may lead to serious security breaches, Moore reiterated.
WHICH said anyone who owns one of the cameras could be spied on, or worse their data could be targeted.
The security researchers reported the issues with unsecured wireless cameras back in October last year. They reported massive security flaws, especially in cheaply produced wireless cameras, which are usually sold on Amazon as a baby monitor or cheap CCTV.
In March this year, the National Cyber Security Centre (NCSC) presented a safety guideline for people using wireless cameras.
The flaw in the design of the device could invite hackers
While most of the cameras are in Asia, about 700,000 are spread across Europe, with over 100,000 available in the U.K. A hacker could infiltrate the devices and plant malware due to the defects in the design of the devices.
The hackers could do a lot of things when they have access to the victim’s security camera. They can have access to the camera to spy on their home or communicate with people in their homes if the camera comes with a microphone steal. They can also get the location of their home or change the password of the camera to control it exclusively. Other devices connected to the camera will also be at risk.
The flaw is a serious one
For those who already own the security camera, one of the ways to protect and keep the cameras safe is by changing their default password. But this vulnerability can still be exploited even with a changed password. In effect, the user cannot do anything to keep the device secure against the flaw.
Affected Wireless camera brands
WHICH said it bought five wireless cameras from five different brands on Amazon, although the brands are also available on other retail platforms. The brands include SV3C, ieGeek, Genbolt, Elite Security, as well as Accfly.
In collaboration with security expert Paul Marrapese, WHICH said they were able to remotely hack the models they purchased. There may be 47 wireless camera brands affected by the flaw worldwide, the research team revealed.
WHICH researchers also believe that cameras with certain unique Identification Number (UID) that uses the CamHi app could be more vulnerable to the attack.
HiChip, the company producing the chips for the cameras, was contacted but there was no response. Amazon and other companies selling the vulnerable cameras have also been notified, according to WHICH.