This is how your home security camera invades into your privacy

Knowing how a hacker operates is the first step to protecting your data. This becomes all But if you ask Vitaly Kamluk, Director for Global Research and Analysis Team (GReAT) for APAC at Kaspersky, most IP cameras in the market have no system to protect your privacy.

"The average IP-based cameras come with almost zero security," Kamluk said. "It's extremely simple to hack into the system and steal footage. Each camera, to be available online, has its own little website that enables you to view it in another part of the world. This web interface comes with a full-fledged management console that helps you to change the angle of the footage, zoom in, and even enable sound. This advanced console comes with risks. Specialized search systems can easily trace the footage from these."

Joe Tham, Co-founder of Simshine Intelligent Technology, explained that usually, a hacker would break into the system of a company and gain access to the database of user and password. Then they would try to use this information to log in to the accounts of security cameras. Many people reuse the same username and passwords across multiple accounts and devices. This opens a door for hackers. 

Common scenarios

According to Martin Hron, Senior Security Researcher at Avast Software, there are two main scenarios where private data is leaked. First could be by the wrong configuration of the router and not securing the camera by changing at least a password. Some cameras also use (often by default turned on) UPnP service, which in cooperation with a router, allows to reach out to the camera from the Internet directly, bypassing the router isolation.

"The problem here is that if you, as a user, keep default configuration of a camera, then you are not aware that the device is reachable directly from the internet on the same IP address as your router," Hron said. "In combination with the known vulnerability of the device or default username or password, this can open easy access to the camera and, in some cases, further into your home network."

The second scenario is getting your recorded footage or even live stream directly from cloud servers, in case the camera is cloud-based. In this case, the breach and privacy leak could be severe because if the attacker manages to get access to the cloud server, he/she usually also get data of all the cameras at once.

The persistent default password problem

Tham agreed to this as he added that privacy issues cannot be avoided entirely as long as the device is connected to Wi-Fi. Users should create complicated and unique passwords rather than using default passwords.

"The manufacturers and the cloud server providers should work hard to prevent their servers from being massively breached," Tham noted. "It is recommended that people avoid security camera brands that have been largely targeted by hackers and choose a camera that is based on local processing and local storage."

Multi-factor to the rescue

An even better idea will be to use two-factor authentication if the devices allow it. Manufacturers make use of different methods to provide multi-factor authentication. Tham explained that his company's products come with a LAN Mode to protect users from hackers. In LAN Mode, the user can only view the video when his phone is connected to the same Wi-Fi as the camera. The LAN Mode can only be disabled with the phone lock screen gesture. So even if a hacker can log into your account, he sees nothing but a black screen.

A spokesperson for Canary Connect summed up the best practices by emphasizing the importance of using robust passwords and changing them frequently. Keeping security camera's firmware always up to date is another way user can protect their devices. For example, upon setup, Canary devices automatically update their firmware to ensure users are being provided with the most up-to-date security measures. Over-the-air updates are then pushed to devices as they are rolled out.