More than 6000 wireless cameras active in Scottish homes are vulnerable to hackers due to a combination of serious security flaws, a new investigation has revealed.
The vulnerable devices are used as PC cameras, baby and pet monitors, CCTV, home security and smart doorbells.
The flaws, which affect dozens of camera brands made by the China-based company HiChip and sold cheaply on online marketplaces like Amazon, eBay, Wish and AliExpress, can allow hackers to find the exact location of the user’s home and target other devices linked to their home broadband network, according to new analysis by the consumer organisation Which?
If the vulnerabilities were exploited, the hacker could even access live footage and speak via the camera’s microphone.
The consumer organisation Which? which carried out the probe said these attacks can still be exploited even if users change their password.
It is advising anyone who believes their camera could be affected to stop using it immediately. The consumer organisation is also warning people against buying products with this security flaw, and believes that such devices should not be manufactured and put on sale.
The issue stems from weak Unique Identification numbers (UID), often found on a sticker on the side of the cameras, which can be easily discovered and targeted by hackers.
The consumer organisation say there are more than 100,000 of the wireless cameras active in the UK, with 6000 in Scotland including 2075 in Glasgow and 1581 in Edinburgh.
Kate Bevan, Which's computing editor said: “People may believe they are picking up a bargain wireless camera that can bring a sense of security - when in fact they could be unwittingly inviting hackers into their home or workplace.
“Anyone who has one of these cameras in their home should turn it off and stop using it immediately, while all consumers should be careful when shopping around - cheap isn’t always cheerful, especially when it comes to unknown brands.
“The government must push forward with its plans for legislation to require connected devices to meet certain security standards and ensure this is backed by strong enforcement."
The new report says that using the UID numbers, hackers can target users of the popular CamHi app - used by millions of people to view camera footage - when they connect to their camera.
The attacker can then steal the device’s username and password, and use the stolen credentials to gain full access to the camera without the user’s knowledge.
Which? says it is working with US-based security expert Paul Marrapese who tested and verified the security flaw in five wireless cameras all of which were purchased from Amazon and available on other online marketplaces.
The consumer organisation believes that as many as 47 wireless camera brands worldwide have been identified as potentially having this security flaw, including 32 currently or previously sold in the UK.
But it believes any wireless camera that uses the CamHi app could be compromised by these flaws.
Around two in three of the brands sold in the UK are currently available at Amazon UK.
Which? reported its concerns and asked Amazon to remove listings while investigating the risk they cause.
More than half of the brands are on sale on eBay who maintained that the devices comply with their existing policies and were safe to use, but encouraged users to take appropriate security precautions.
Which? shared its findings with HiChip, the company behind many of the camera brands affected and the CamiHi app, which is based in Shenzhen - described as China’s Silicon Valley - due to its huge market in electronics products.
The company maintained its cameras have “low-security risk”, but pledged to work with Which? and a US-based security expert on improvements.
But Which? says it has been unable to verify that the proposed updates will fix any of these vulnerabilities.
It also believes that fundamental flaws in the design and security of existing cameras mean they remain at risk in consumers’ homes.
HiChip said: "HiChip has focused on IP camera R&D for more than 10 years and continues to improve the security of the cameras. We encrypt all the commands and data with AES128 between the camera and the app, above the P2P transfering layer. So our cameras have very low security risk about the end user's privacy."
EBay said: “These cameras that Which? is concerned might put users at risk are all legal to sell in the UK, and comply with our existing policies. These devices can be used safely if used in a network without an internet connection, for example as baby monitors.
“We encourage people who purchase any wireless camera product on eBay to take appropriate security precautions, in the same way they would with any smart home devices, online email or social media account."
Amazon were approached for comment.
Why are you making commenting on The Herald only available to subscribers?
It should have been a safe space for informed debate, somewhere for readers to discuss issues around the biggest stories of the day, but all too often the below the line comments on most websites have become bogged down by off-topic discussions and abuse.
heraldscotland.com is tackling this problem by allowing only subscribers to comment.
We are doing this to improve the experience for our loyal readers and we believe it will reduce the ability of trolls and troublemakers, who occasionally find their way onto our site, to abuse our journalists and readers. We also hope it will help the comments section fulfil its promise as a part of Scotland's conversation with itself.
We are lucky at The Herald. We are read by an informed, educated readership who can add their knowledge and insights to our stories.
That is invaluable.
We are making the subscriber-only change to support our valued readers, who tell us they don't want the site cluttered up with irrelevant comments, untruths and abuse.
In the past, the journalist’s job was to collect and distribute information to the audience. Technology means that readers can shape a discussion. We look forward to hearing from you on heraldscotland.com
Comments & Moderation
Readers’ comments: You are personally liable for the content of any comments you upload to this website, so please act responsibly. We do not pre-moderate or monitor readers’ comments appearing on our websites, but we do post-moderate in response to complaints we receive or otherwise when a potential problem comes to our attention. You can make a complaint by using the ‘report this post’ link . We may then apply our discretion under the user terms to amend or delete comments.
Post moderation is undertaken full-time 9am-6pm on weekdays, and on a part-time basis outwith those hours.
Read the rules here