Connected camera inside of restaurant showing security flaw

Over 100,000 UK Connected Cameras Have a Security Flaw Allowing Hackers Access to Live Footage

Consumer watchdog, Which?, has sounded the alarm over certain brands of wireless cameras that allow hackers to access people’s home networks. Although the connected cameras are supposed to provide customers with a sense of security, they have offered an open door for malicious actors to compromise their security and privacy. The cameras in question are manufactured by the Chinese firm, HiChip, and are popular with many people across the UK. More than 100,000 cameras sold across the UK have been confirmed to contain the security flaw. The firm produced an update, but experts remain skeptical it would fix the fundamental flaw in the design of the cameras.

The nature of the security flaw

The security flaw could allow hackers to access live footage as well as access other devices connected to the home network, according to Which? that discovered the security flaw. The vulnerability could also allow someone to pinpoint where the camera user lives, eavesdrop and speak through the camera’s microphone. Hackers could also add the cameras to a botnet and use them as sources for DDoS attacks.

Which? believes an attacker could still carry malicious activities even after the user changes their password.

The security flaw allows the discovery of the connected cameras through the Unique Identification numbers (UID). Once discovered, the hackers are able copy the username and password from the CamHi App to gain full access to the connected cameras.

People believe they are picking up a bargain wireless camera that can bring a sense of security – when in fact they are unwittingly inviting hackers into their home or workplace, according to Kate Bevan, the computing editor for Which?.

She says anyone with any of these connected cameras in their home should turn it off and stop it while consumers should be careful when shopping around for smart cameras especially when cheap and unknown brands are involved.

The compromised cameras are still on sale in most of UK’s online stores. Amazon refused to remove 23 brands, which make up two-thirds of all the affected devices. eBay still lists 19 brands of the affected cameras and claims they are still legal to sell. AliExpress sells six brands and claimed to take product safety seriously and requiring merchants to observe local regulations. Wish had four brands listed and said it had notified the sellers of the security flaw and was waiting for feedback before taking additional measures.

Lack of regulations governing security standards

The reason these insecure cameras are still on sale is because of the lack of government regulations to impose certain security standards for connected cameras. However, The Department of Digital, Media, Culture and Sports (DCMS) plans on introducing security requirements which smart devices should meet. According to Which?, none of the affected devices meets those standards.

Cheap and functional smart devices could trick many buyers to believe that they are just as functional as other well-known brands. Unknown to them, the devices are poorly developed from the ground up, and the reduced price comes at a huge security cost. Their cheap prices could also lure more people to buy them thus making their effects more widespread. It is evident that regulatory measures are desperately needed to protect consumers from rogue smart devices.

Connected cameras affected by the security flaw

When contacted, the HiChip said the security risk posed by the security flaw on its connected cameras was minimal because it encrypts all communication on the P2P channel between the app and the camera using the AES128 encryption.

Security experts have confirmed that the software used by the cameras also has flaws and affects various brands such as Accfly, Elite Security, ieGeek, Genbolt and SV3C. Which? added that almost all of the 47 brands on sale worldwide could be compromised, and 32 of the brands are on sale in the UK.

Any connected camera using the CamHi app is likely manufactured by the Shenzhen-based Chinese firm HiChip, and is compromised. Some of the wireless cameras affected include Alptop, Besdersec, COOAU, CPVAN, Ctronics, Dericam, Jennov, LEFTEK, Luowice, QZT and Tenvis.

HiChip has shown willingness to work with its experts on improving the security of the cameras and has already sent a software update to Which? for analysis. Which? has yet to comment on the ability of the update to fix the security flaw.

Despite the update, these cameras remain a security risk because of their fundamental design. Devices that use peer-to-peer communication protocols can override security controls and grant third parties access to the network. Even if the data was encrypted, hackers could take over other devices on the network.

Which? advises anybody using the mentioned brands of connected cameras or the CamHi app to stop immediately. The consumer body also advises customers to take appropriate security precautions while shopping on platforms still selling the flawed devices such as eBay.


Staff Correspondent at CPO Magazine