Thousands of internet-connected cameras sold by Amazon have serious security flaws which leave buyers vulnerable to spying, a leading consumer research body has warned.
UK-based Which? published research this week claiming tens of thousands of indoor security cameras sold by Amazon are not safe and have serious software vulnerabilities. Many of these cameras are sold as baby or pet monitors, and are produced in Shenzhen, China, then sold by little-known companies who are difficult to contact and don't want to communicate with buyers through Amazon's marketplace.
- Wyze Cam v2 review: A remarkably $20 security camera
- How safe is your smart home? This cybersecurity scorecard has the answer
- 5 questions to ask before buying a smart home security camera
Although the report focuses on security cameras sold by Amazon in the UK, GearBrain found several examples of cameras produced by the same companies and sold on Amazon's U.S. website, too.
An Amazon spokesperson told GearBrain: "We require all products offered in our store to comply with applicable laws and regulations, and we proactively monitor multiple sources for safety notifications, including from regulatory agencies and direct contacts from brands, manufacturers, and sellers."
The brands called into question by Which? and its cybersecurity researchers include Vstarcam, ieGeek, Sricam and SV3C; in all, six different cameras were tested. We were able to find a number of Vstarcam cameras sold in the U.S., along with the same Victure 1080p camera flagged by Which? as being potentially unsafe.
Many of these cameras have earned hundreds or even thousands of positive reviews, and some even carry 'Sponsored' or 'Amazon's Choice' badges, suggesting they are being recommended by the retailer.
Having bought six of the questionable cameras from Amazon UK, researchers at Which? found they lacked basic security and could easily be hacked. One made by Vstarcam used 'admin' as its default username, and we can confirm Which?'s claim that the default password can be found with a simple Google search. Knowing these login details could potentially give anyone control of the camera.
Cameras like this one were found to have security issuesVstarcam
Other problems discovered with these cameras include how they send your Wi-Fi network password over the internet without encryption. Which? explains: "This could enable an attacker to access your home Wi-Fi network, see what you're browsing and even gain access to data stored on other devices you have connected at home, such as tablets, laptops and smart speakers."
Addressing the Victure 1080p, which is marketed as a baby monitoring camera on Amazon.com, the report said: "It's fairly simple to gain what's known as 'root' access...This is a bit like having the keys to the front door of a house - a hacker would gain complete control and be able to view footage as they please."
Wyze Cam 1080p HD Indoor Wireless Smart Home Camera with Night Vision, 2-Way Audio, Person Detection, Works with Alexa & the Google Assistant
Security concerns have been raised by buyers of these security cameras on Amazon. One review of the Victure 1080p, published on January 2, 2019 and labeled as a verified purchase, claimed: "Can be hacked and controlled by someone else, do not buy".
The one-star review, of a replacement camera delivered after the first broke, went on to say: "After a couple of days...the camera started to operate and move on its own at night, leading me to believe that somehow it was being controlled by someone other than myself...At night I could hear the camera moving and adjusting so that it could get a view of where it was."
The review was left by someone who has been an Amazon customer since at least 2015, has written 113 reviews, and has received 97 helpful votes from other shoppers.
Amazon review for a camera claimed to spy on its ownerGearBrain
Another verified-purchase review, left for the same camera on March 17, 2019, also gave one star and claimed it switched on by itself. The reviewer, an Amazon user since at least January 2016, said: "The camera will turn on its live feed viewing when I'm not doing this remotely. On more than three occasions, I heard the camera turn on and, when checked, it was on and had been moved/turned around. At first I thought it was a glitch but realized someone was possibly hacking into it and view[ing] and listening...I have unplugged it and refuse to use it."
A review on Amazon.co.uk, spotted by Which? and for a Victure-branded camera used as a baby monitor, said: "Whilst leaning over her crib a voice emanated from the device's speaker and said 'hello' in a softly spoken female voice. It sent chills down my spine."
In partnership with U.S. security engineer Paul Marrapese, Which? believes there are more than 50,000 potentially vulnerable cameras currently active in UK homes and businesses, and an estimated two million worldwide. "Any one of these cameras could be exploited by an attacker to watch the camera picture remotely," the report added.
To prove this claim, Which? bought a Vstar C7837wip camera, which is currently sold on Amazon.com and Amazon.co.uk for around $40 / £40. This was set up in a home and pointed at an empty baby's crib. "It was simple to remotely hack into the video feed," Which? reported.
We urger buyers of smart home security devices like cameras to always change the default user name and password of the device. It is also advisable to only buy from reputable companies which you have previously heard of, can read reviews of online, and can contact in the event of something going wrong, or a privacy flaw being discovered.
All-new Blink XT2 Outdoor/Indoor Smart Security Camera with cloud storage included, 2-way audio, 2-year battery life - 2 camera kit
The 5 Best Questions To Ask Before Buying Security Cameras - GearBrain www.youtube.com