False sense of security: More than 100,000 wireless cameras in UK homes are ‘hackable’ due to software flaws in devices made by Chinese firm HiChip, watchdog warns
- A flaw in the cameras and their associated app can give hackers remote access
- This could include live footage as well as access to other devices on a network
- Which says people with these cameras should stop using them immediately
Wireless security cameras designed to give people a sense of security at home could be leaving their network open to hackers, a consumer watchdog has warned.
More than 100,000 cameras produced by Chinese firm HiChip – and used in homes across the UK – have been shown to have various security flaws by Which.
The consumer group says dozens of camera brands sold in the UK are made by the firm and the flaw could give hackers access to live footage or other devices.
HiSense told Which when informed about the investigation that their devices have a ‘very low security risk’ because it encrypts all data between the camera and the app.
Which has urged anyone with one of these cameras – or any that uses the CamHi app – to stop using it immediately and uninstall the app.
More than 100,000 cameras produced by Chinese firm HiChip – and used in homes across the UK – have been shown to have various security flaws by Which
There is also a security issue with the software that is supplied with the camera, which is used by brands including Accfly, Elite Security, ieGeek, Genbolt and SV3C.
TIPS FOR STAYING SAFE ACCORDING TO WHICH INCLUDE CHANGING DEFAULT PASSWORDS
Change any passwords: Many wireless cameras have weak default passwords, such as ‘admin’.
Set a secure password connecting three random words that you’ll be able to remember.
Keep your camera updated: Not only does this keep your devices secure, but it often adds new features and other improvements.
If in doubt, unplug it or turn it off: No one wants to have to worry about someone snooping in on their home, so deactivate the camera if you’re at all concerned.
If you do not use the feature that lets you remotely access the camera from the internet, it is recommended you disable it.
HiChip said the company has focused on IP camera R&D for more than a decade.
‘We encrypt all the commands and data with AES128 between the camera and the APP, above the P2P transfering layer. So our cameras have very low security risk about the end user’s privacy.’
Which says the issue could be exploited by someone to pinpoint where the user lives, target other devices linked to their broadband, and even grant access to live footage and speak via the camera’s microphone.
It also believes an attacker could carry out these activities even if the owner changes their password.
A security expert tested five wireless cameras from Accfly, Elite Security, ieGeek, Genbolt and SV3C – all of which can be purchased on popular online marketplaces – and found that they were affected by the flaw.
More widely, Which? says 47 camera brands worldwide may be jeopardised, 32 of which are currently or were previously sold in the UK, and is therefore advising anyone who believes their camera could be affected to stop using it immediately.
The brands identified include Alptop, Besdersec, COOAU, CPVAN, Ctronics, Dericam, Jennov, LEFTEK, Luowice, QZT and Tenvis.
Any wireless camera using an app called CamHi could be compromised, experts believe – this app and many of the brands are made by China-based HiChip.
Which says HiChip has committed to working with experts on improving safety.
However, the consumer champion has been unable to verify that the proposed updates will fix any of these vulnerabilities.
Which also believes that fundamental flaws in the design and security of existing cameras mean they remain at risk in consumers’ homes.
The weakness revolves around the devices’s Unique Identification numbers (UID), often found on a sticker on the side of the cameras and can be easily discovered and targeted by bad actors.
Using this, hackers can prey on users of the CamHi app when they connect to their camera, thereby steal the device’s username and password, and use those details to gain full access to the camera without the user’s knowledge.
‘People may believe they are picking up a bargain wireless camera that can bring a sense of security – when in fact they could be unwittingly inviting hackers into their home or workplace,’ said Kate Bevan, Which computing editor.
Hackers can prey on users of the CamHi app when they connect to their camera, thereby steal the device’s username and password, and use those details to gain full access to the camera without the user’s knowledge
‘Anyone who has one of these cameras in their home should turn it off and stop using it immediately, while all consumers should be careful when shopping around – cheap isn’t always cheerful, especially when it comes to unknown brands.
WHICH CAMERAS ARE OPEN TO HACKING: ANY CAMERA THAT USES THE CAMHI APP SHOULDN’T BE USED
Five wireless devices sold in the UK were tested and all had a security flaw that would let hackers in even if the password was changed.
These are Accfly, Elite Security, ieGeek, Genbolt and SV3C.
Other brands at risk of hacking include Alptop, Besdersec, COOAU, CPVAN, Ctronics, Dericam, Jennov, LEFTEK, Luowice, QZT and Tenvis.
Researchers say any camera that comes with the app CamHi is also at risk of being hacked.
‘The Government must push forward with its plans for legislation to require connected devices to meet certain security standards and ensure this is backed by strong enforcement.’
Around two-thirds (23) of the brands sold in the country are currently available on Amazon’s UK website. The consumer group said Amazon has so far declined to remove any after it was approached.
More than half (19) of the brands are on sale on eBay, who said the cameras are ‘all legal to sell in the UK and comply with our existing policies’.
‘We encourage people who purchase any wireless camera product on eBay to take appropriate security precautions, in the same way they would with any smart home devices, online email or social media account,’ the firm explained.
Cameras were also found on Wish.com, who said they were alarmed to hear that a small batch of surveillance cameras may be vulnerable to hacking.
The firm said: ‘We have alerted the sellers who currently list these items and requested they look into this as a matter of urgency, before taking any appropriate remedial action.’
Source: Read Full Article