More than 100,000 hackable cameras in UK homes, warns Which?

More than 100,000 wireless cameras active in UK homes are vulnerable to hackers due to a combination of serious security flaws with the devices themselves and a popular app many of them use, a new Which? investigation has found.

The flaws, which affect dozens of camera brands made by the China-based company HiChip and sold cheaply on online marketplaces like Amazon, eBay, Wish and AliExpress, allow hackers to find the exact location of the user’s home and target other devices linked to their home broadband network.

If these vulnerabilities were exploited, the hacker could even access live footage and speak via the camera’s microphone – a serious concern for many people who use these devices as baby monitors connected via the internet.

Worryingly, these attacks can still be exploited even if users change their password.

Which? is advising anyone who believes their camera could be affected to stop using it immediately. The consumer champion is warning people against buying products with this security flaw, and believes that such devices should not be manufactured and put on sale.

The issue stems from the weak Unique Identification numbers (UID), often found on a sticker on the side of the cameras, which can be easily discovered and targeted by hackers.

Using the UID numbers, hackers can target users of the popular CamHi app – used by millions of people to view camera footage – when they connect to their camera. The attacker can then steal the device’s username and password, and use the stolen credentials to gain full access to the camera without the user’s knowledge.

Which?, working with US-based security expert Paul Marrapese, tested and verified this security flaw in five wireless cameras from Accfly, Elite Security, ieGeek, Genbolt and SV3C – all of which were purchased from Amazon and available on other online marketplaces.

In total, 47 wireless camera brands worldwide have been identified as potentially having this security flaw, including 32 currently or previously sold in the UK. These brands include Alptop, Besdersec, COOAU, CPVAN, Ctronics, Dericam, Jennov, LEFTEK, Luowice, QZT and Tenvis. But Which? believes any wireless camera that uses the CamHi app could be compromised by these flaws.

Which? shared its findings with HiChip, the company behind many of these camera brands and the CamiHi app, which is based in Shenzhen – dubbed “China’s Silicon Valley” – due to its huge market in electronics products.

The company maintained its cameras have “low-security risk”, but pledged to work with Which? and a US-based security expert on improvements. However, the consumer champion has been unable to verify that the proposed updates will fix any of these vulnerabilities. Which? also believes that fundamental flaws in the design and security of existing cameras mean they remain at risk in consumers’ homes.

Around two-thirds (23) of the brands sold in the UK are currently available at Amazon UK. Which? reported its concerns and asked Amazon to remove listings while investigating the risk they pose. Amazon has so far declined to remove any from its site.

More than half (19) of the brands are on sale on eBay who maintained that the devices comply with their existing policies and were safe to use, but encouraged users to take appropriate security precautions.

Six of the cameras can be bought on AliExpress who told Which? it takes “product safety very seriously” and has rules that require third-party merchants to comply with local laws and regulations. Only four camera brands were available on Wish.com but it said it has alerted sellers who list these cameras on its website to investigate Which?’s findings urgently before it takes appropriate action.

In January, the Department of Digital, Media, Culture and Sports (DCMS) announced plans to introduce new laws requiring smart devices sold in the UK to adhere to security requirements. Worryingly, none of the brands Which? tested would meet these requirements.

The government has begun taking the first critical steps to ensure connected devices are safe and meet minimum security requirements before they go on sale, however just over 12,000 of these security-risk cameras have been activated in UK homes since March, so the government must move faster to stop the market being flooded with dangerous devices.

Kate Bevan, Which? Computing Editor, said: “People may believe they are picking up a bargain wireless camera that can bring a sense of security – when in fact they could be unwittingly inviting hackers into their home or workplace.

“Anyone who has one of these cameras in their home should turn it off and stop using it immediately, while all consumers should be careful when shopping around – cheap isn’t always cheerful, especially when it comes to unknown brands.

“The government must push forward with its plans for legislation to require connected devices to meet certain security standards and ensure this is backed by strong enforcement.”