The cameras are low-cost models that are sold by Amazon, eBay, Wish, AliExpress and other sites, and mostly use the CamHi app to view the live video feed.
Affected brands in the UK include:
- Elite Security
They all use hardware from Chinese company HiChip. The system relies on an insecure ID number to access the camera from your phone. Somewhat surprisingly, hackers can easily discover these UIDs – which are typically printed on a sticker on the camera itself - over the internet.
Along with the CamHi app, that’s pretty much all they need to be able to see your camera’s feed and use other functions it might have such as a speaker, and also to control the direction it faces, if it’s a pan-and-tilt model.
Because of the way the system works, you can’t protect yourself by changing the device’s password: it’s still possible to exploit the flaws in the system.
Worse still, the information they can extract includes the device’s username, password and its precise location, meaning the hacker could use the video feeds to find high-value items to steal, such as cars.
What can you do if you own an affected camera?
Which? says that other devices linked to your home network could also be targeted in an attack, and says the only way you can deal with the problem is by unplugging your camera and simply not using it.
Of course, the number of affected cameras is much larger than the 100,000 or so in use in the UK. Globally there are around 2 million cameras, smart doorbells and baby monitors which have been identified as being vulnerable, according to the hacked.camera website.
It’s run by US-based security expert Paul Marrapese, which tested and verified this security flaw for Which? in five wireless cameras from Accfly, Elite Security, ieGeek, Genbolt and SV3C. The cameras were all purchased from Amazon and are also available elsewhere.
When presented with the evidence, HiChip said its cameras have a “low-security risk”. It is working with Which? and Paul Marrapese to improve security, but as of yet, none of the updates proposed would address any of the flaws.
The problem lies in how the system works, which cannot be solved by a software update. However, Mr Marrapese offers one option, which is to go into your broadband router settings and block outbound traffic to UDP port 32100. That may or may not be possible depending upon your router model and whether you can figure out how to configure it.
This action will allow you to continue using the camera when at home and connected to your home Wi-Fi network, but prevents all remote access, thus stopping the hackers but also stopping you from checking in when you’re not at home.
What's happening about the problem?
These cameras are still on sale and since they’re not breaking any local regulations, retailers will continue to sell them. Which? said that Amazon declined to comment and has not removed any cameras from the 23 affected brands it sells from sale.
Some of the listings even include statements such as "【High-level Security】ieGeek outdoor security camera with Unique Data Encryption Technology can't be logged in without your permission. You can set a serial complex password to protect your camera. You can check it on Camhi or CamHiPro with your phone every time in everywhere you want."
Unfortunately, such claims have now been proven to be false.
eBay said, “These cameras that Which? is concerned might put users at risk are all legal to sell in the UK and comply with our existing policies. These devices can be used safely if used in a network without an internet connection, for example as baby monitors.”
In the UK, there are currently no laws which require smart devices to adhere to security requirements, but the DCMS (Department of Digital, Media, Culture and Sports) is in the process of introducing such laws which would prevent these cameras from being sold.
If you need to buy a new camera because you own one of those mentioned here, or because you want to avoid them, here are our recommendations for the best security cameras.