Alarm over security flaws of home cameras

Nine in 10 home surveillance cameras have been found to pose privacy and security risks.

The Consumer Council tested 10 models of home surveillance cameras priced from HK$269 to HK$1,888 and found only one - a HK$1,888 Arlo Pro 4 Spotlight - complied with European cyber security standards in protection against attack, security of data transmission and apps, security of data storage and hardware design.

The rest of the cameras tested by the watchdog were found to have various cybersecurity concerns.

All 10 cameras tested provide two-way audio, motion detection, night vision, Amazon Alexa and Google Assistant voice control.

But half of them exposed security flaws to let in hackers when transmitting video or data to users' mobile devices without encryption.

And video data of four models - Imou, TP-Link, Ezviz and D-Link - were transmitted without encryption, allowing hackers easy access.

Another model, Reolink, did not encrypt sensitive data for transmission and hackers could find the wi-fi router's credential in plain text files.

Even if a user has logged out or logged in to another account in the mobile app people could still watch live video streaming from the camera.

The council also found hackers could launch "brute-force attacks" to crack passwords through multiple attempts in testing all possible password combinations during live streaming of three cameras - Eufy, Ezviz and D-Link.

The council noted too the mobile app of the SpotCam security camera allows users unlimited login attempts.

Victor Lui Wing-cheong, vice chairman of the council's research and testing committee, noted that authorities could make reference with other countries and introduce cyber security standards for Internet of Things devices like surveillance cameras and smartphones.

And he offered tips to consumers to better protect themselves when using home surveillance cameras.

"[People] can consider using stronger passwords and change passwords regularly," he said. "Avoid using public wi-fi and ... limit the use of home surveillance systems - only use it when necessary."

The council suggested manufacturers introduce anti-brute-force attacks designed for live video streaming and account logins, including multifactor authentication, limiting login attempts and locking the account automatically after multiple failed logins from the same IP address within a short period of time.

Council chief executive Gilly Wong Fung-han said manufacturers should take immediate action to improve product security based on the "not so satisfactory outcome" of the tests.

"A highly secure device requires very good design, making sure it can pass through the tests on different standards," she said.

"And they have to put forward good enough information for consumers to make the choice and also teach them how to protect themselves."

sophie.hui@singtaonewscorp.com