As many as 3.5 million wireless home security cameras around the world are at risk of being compromised by cybercriminals due to critical design and software flaws, according to new research from UK consumer watchdog Which? (opens in new tab).
Which? discovered that attackers can potentially leverage these dangerous vulnerabilities to spy on people, access personal data and take control of other devices.
- VPN: stay anonymous and safer online with a virtual private network
- Best antivirus: pick the right software to stay safe online
- Just in: Get IPVanish’s new VPN deal – $5 a month with no upfront cost
The cameras, most of which are available to buy via retailers such as Amazon and eBay, can still be hacked into even if users change their passwords.
Researchers said flaws found in the design and software of these cameras could allow attackers to do things such as:
- Access the video stream of your camera to spy on your home
- Talk to people in your home if the camera has a microphone
- Steal or change your password
- Find the exact location of your home
- Target other devices connected to your home network
- Add your camera to an online botnet
Millions of devices affected
Out of the 3.5 million cameras discovered, the majority were in Asia. However, an estimated 700,000 are being used across Europe while 100,000 are in the UK.
During its investigation, researchers at Which? teamed up with US security expert Paul Marrapese (opens in new tab) to purchase cameras made by Accfly, Elite Security, Genbolt, ieGeek and SV3C through Amazon. The researchers found them easy to hack remotely.
While the researchers tested five models for this investigation, they estimate that 47 wireless camera brands may have this vulnerability, due to shared components and software.
Some of the affected brands include Alptop, Besdersec, COOAU, CPVAN, Ctronics, Dericam, Jennov, LEFTEK, Luowice, QZT and Tenvis. Any wireless camera that interfaces with the CamHi mobile app and has a certain type of unique identification number (UID), the researchers say, could be compromised.
Marrapese explained on his website that the UID should be printed on a sticker or label affixed to the camera, often alongside the administrative username and password. On his website, he listed more than 100 UID prefixes that indicated a device might be vulnerable (opens in new tab).
What to do if you have one of these cameras
Kate Bevan, Which? Computing Editor, said: "People may believe they are picking up a bargain wireless camera that can bring a sense of security -- when in fact they could be unwittingly inviting hackers into their home or workplace.
“Anyone who has one of these cameras in their home should turn it off and stop using it immediately, while all consumers should be careful when shopping around -- cheap isn’t always cheerful, especially when it comes to unknown brands.
Bevan also called on lawmakers to take action, saying: “The government must push forward with their plans for legislation to require connected devices to meet certain security standards and ensure this is backed by strong enforcement."
- Read more: Best DIY home security systems in 2020