If you own a wireless security camera, chances are that you bought it to keep your home and family safer. However, you may just be swapping one security risk for a whole cadre of even worse ones. Some of the most popular consumer-grade security cameras on the market are wide open to cyberattacks, and even the good ones don't necessarily offer perfect protection or interfaces.
Madgeburg, Germany-based security firm AV-TEST evaluated eight popular IP cameras (broadly speaking, Wi-Fi dependent security cameras that communicate with mobile apps) whose manufacturers ranged from D-Link to Logitech to Netgear. Only three cameras were vulnerability-free, and even they had room for improvement. Two of the cameras were nearly trivial to compromise, while a crafty cybercriminal could still compromise the middle three, given the right tools and expertise.
To evaluate each camera, AV-TEST looked for potential flaws in the camera's local storage (if available), external app controls, external camera controls, additional camera and app connections, encrypted connections, and storage of image and videos. The company did not give a numerical score, but instead pointed out whether each camera was category was "vulnerable," "secured" or "partially vulnerable" with regard to each category.
Of the IP cameras tested, the Logitech Circle, the Myfox Security Camera and the Netgear Arlo fared the best. Each earned three out of a possible three stars from AV-TEST. The company found "no noticeable vulnerabilities in the communication of the camera and app" in each camera, meaning that they're about as secure as IP cameras can get.
However, AV-TEST noted "optimization potential" for each camera's companion mobile app, suggesting that the user interfaces are not as user-friendly as they could be. This is not a trivial issue — the more obtuse a UI, the less likely a user is to take charge of his or her own security, which could lead to vulnerabilities down the road.
The D-Link DCS-2132L and the Gigaset Camera scored only one star out of three, with potential vulnerabilities in just about every category tested. (The only exception was that external camera controls were "secured" in the Gigaset.) In particular, AV-TEST cited "[insufficiently encrypted] transmission of information" and "[unencrypted] image transmission" in the D-Link, and "vulnerable encryption" and "unsecured transmission of individual images" in the Gigaset.
(Readers may remember that the U.S. Federal Trade Commission sued D-Link earlier this month for allegedly poor security in its routers and security cameras.)
The remaining cameras — the Netatmo Welcome, the Smartfrog Cam and the Withings Home — all got passable marks, with a mix of "secured," "vulnerable" and partially vulnerable features. The exact minutiae of each model are not interesting unless you happen to own one of those particular cameras, but issues ranged from "unsecured transmission of live preview image" to "firmware update transmitted unencrypted." These cameras may not exactly invite cybercriminals into your home, but they don't do everything in their power to keep the criminals out, either.
This is not the only instance in which home security cameras have recently come under fire for poor security. Last week, a group of researchers unearthed a huge flaw in the Samsung SmartCam SNH-1011's software, which the researchers believe may affect the entire Samsung SmartCam line. (A company called Hanwha Techwin licenses the Samsung name to produce these cameras.) It's possible that the Samsung SmartCam HD, a model that we've reviewed, is affeceted.
Cheapo cameras from no-name manufacturers are even worse, with some having flaws so egregious that researchers recommended that users literally toss them in the garbage.
Unsecured IP security cameras can provide cybercriminals not only with not only video, but usually sound and still photos as well, of your home or office. If that weren't reason enough to choose a secure camera, unencrypted transmissions could also leak your Wi-Fi password or router credentials, giving an attacker complete control over your home network. An attacker could even draft your camera into a botnet, such as in the recent Mirai DDoS attacks, or spy on your social media interactions, financial dealings and private correspondences.
Owning an IP camera may not be a terrible idea; AV-TEST points out that burglaries in its native Germany have increased by 10 percent since last year. If you do, however, try to buy from a reputable manufacturer, and keep the firmware up to date all the time. If not, you may be trading one kind of insecurity for another.
We've reached out to D-Link and to Hanhwa Techwin for comment, and will update this story with replies.