Security
Headlines
HeadlinesLatestCVEs

Headline

What to Look for When Buying a Security Camera (2023): Tips and Risks

Eufy’s recent scandal shows it’s not so much about the data breach but about how a company responds. Here are a few ways to shop smart.

Wired
#vulnerability#web#apple#google#git#auth#sap

Own a Eufy security camera or video doorbell? The recent news exposing serious security flaws from the Anker-owned brand may have caused you some anxiety. I have been testing and reviewing security cameras for several years now. Revelations about data breaches and vulnerabilities are a regular occurrence. Arlo, Nest, Ring, Wyze—every major manufacturer you can think of has had its share of scandals. But it can be challenging to look beyond hyperbolic headlines, weigh the seriousness of each issue, and figure out whether you need to worry.

Security cameras and video doorbells have grown popular as an easy and affordable way to keep an eye on your home. Around 28 percent of Americans protect their property with security cameras, according to a Safewise survey. The systems are easy to install and promise protection from burglars and porch pirates. (Whether they actually make you safer is a question for another day.) To get a better sense of what security camera system you should invest in, how to deal with breaches, and how to find a company you can trust, we spoke to a few experts. We also took a closer look at how Eufy handled its security woes.

Where Eufy Went Wrong

Late last year, security researcher Paul Moore demonstrated that camera systems sold with the promise of local data storage were, in fact, uploading images to the cloud. Worse yet, it was possible to stream video from a Eufy camera without encryption. When we first asked about these issues, the company issued a strong denial, saying it “adamantly disagrees with the accusations.” A couple of months later, Eufy admitted that most of the allegations were true.

A spokesperson explained to WIRED in an email that Eufy only uploaded images (video thumbnails) to deliver push notifications to customers, and in one other case for its Video Doorbell Dual, where it uploaded a face image of the user (for face recognition) to make it easier to set up multiple doorbell devices without having to upload a new image. Eufy has updated the language around its cloud use to address the first issue and removed the upload requirement for the second.

More serious was the issue of accessible unencrypted live streams outside the Eufy system. Eufy claims this required users to log in to the web portal, enter debug mode, and share a link. It’s unlikely anyone would have stumbled upon these links, but the possibility of unencrypted camera streams is a natural cause for concern. Eufy has now applied peer-to-peer encryption to its web portal (mobile app streams were always encrypted). The company flatly denies using any fixed encryption keys, insisting videos have always been encrypted with a dynamic key.

It’s worth pointing out that this isn’t Eufy’s first security scandal. A bug in May 2021 exposed the live and recorded video streams from 712 customers to other Eufy app users, which is arguably worse than the more recent security flaw. But does it matter if a flaw was unlikely to have been exploited? It’s more important to look at how the company responds to these events.

Sadly, it took more than two months for Eufy’s parent company, Anker, to admit some fault and apologize. Early denials sparked deeper media scrutiny as the company tried to downplay Eufy’s security failings, shredding a hard-won reputation in the process. The multiple incidents, and the fact that Eufy was caught in a lie and forced to pedal back, make it tough to regain trust.

Eufy’s failings feel especially egregious because the company generally ticks all the right boxes. Its cameras and doorbells strike the balance between quality and affordability. Anker is a respected brand in the accessory space. And Eufy offers support for two-factor authentication, although not by default, and promises completely local storage and on-device processing for features like facial recognition.

Understand the Risks When Shopping

Despite an abundance of security camera manufacturers, pristine reputations are rare, so how do you choose wisely? “You want to go with a brand name,” says Deral Heiland, principal security researcher for the Internet of Things at Rapid7. “One you’ve heard of, because these companies have to protect their branding.”

Big brands come under greater scrutiny. They are targets for security researchers and amateur tinkerers. And they know that bad press will hurt their business. Since regulation is negligible, many no-name or little-known brands sell untested security cameras that may harbor multiple vulnerabilities. When they run into issues, they disappear or change the brand name.

Two-factor authentication (2FA) is also vital, Heiland says. It prevents anyone who has managed to get your login details from accessing your camera. With 2FA, you need the login details and a fingerprint, facial scan, or automatically generated one-time use code from an authenticator app, text message, or email. WIRED doesn’t recommend any security cameras that don’t at least offer 2FA as an option, but we’d like to see it become the default industrywide.

When you install a security camera, it’s worth thinking about what the most compromising or embarrassing thing the camera—outside or inside your house—can see. You need to understand that no internet-connected device is 100 percent safe.

There is always a risk someone is going to gain access to the camera—“be it hackers plugging data-breached passwords in to see if people are reusing them or police who often go to companies, even without warrants, in hopes of getting footage from people’s devices without their knowledge,” says Matthew Guariglia, a policy analyst for the Electronic Frontier Foundation.

After every security camera scandal, you might see some folks argue that they don’t care who sees footage of their front door or backyard. It’s true that there is little value in many of these video streams, which makes them an unlikely target. But Guariglia says security cameras usually have powerful microphones and often pick up more than we think.

Then there’s the issue of other people’s privacy, whether it’s neighbors, window cleaners, or passersby. Security camera footage is frequently shared online without the knowledge of the people who appear in it. Most cameras offer privacy zones so you can confine recordings to your property, and you should consider placement carefully when you install cameras.

You should also do some research before you buy. Guariglia suggests asking questions like, “What would it take for police to get footage from the company? Where is your data going to be stored? Does this company have a history of data breaches or bad cybersecurity?” Unfortunately, answers aren’t always easy to find. Apple, Arlo, Eufy, and Wyze state that they won’t share footage without a warrant or court order. Ring, however, has a close relationship with police departments, and Google may share Nest footage in emergency situations where there is a threat to life.

With a local storage system, you can potentially avoid uploading video to a company server and take it out of the manufacturer’s hands. Look for end-to-end encryption (preferably as a default). You can opt for a local system with no internet connection, but you would only be able to review video when you’re home. If you have the technical know-how to hook up internet-protocol cameras and DVRs without cloud services and connect via a Virtual Private Network (VPN) service, Heiland says that’s another potentially secure route.

Perhaps counterintuitively, it might not be a red flag if your chosen camera brand has had problems in the past, provided the company has fixed them.“It’s better if there have been vulnerabilities reported on a camera because it gives us the ability to take a look at how a company deals with them,” Heiland says. “I’d rather go with a company that’s had multiple vulnerabilities in its cameras and shows a track record of fixing them quickly than a company that’s had no vulnerabilities. Because there’s no such thing as no vulnerabilities.”

Room for Improvement

Where does Eufy go from here? The flaws have been patched, but it says it’s planning to bring on companies in security consulting, certification, and penetration-testing to conduct a comprehensive assessment of its products and eliminate potential risks. Eufy says there will also be an independent review of its processes and practices from an as-yet-unnamed security expert, and it plans to set up a security bounty program. These are positive steps, perhaps necessary growth for any security brand that expects to be taken seriously. It’s unfortunate that it took another scandal for Eufy to act.

If you visit a manufacturer’s website, Heiland says it should be easy to find out how to report a vulnerability. If a company has a bug bounty program offering cash rewards to security researchers (incentivizing people to test the cameras and find flaws), all the better. Arlo, Logitech, Nest, and Wyze have some kind of bug bounty program, though the focus and rewards vary. Research should also turn up reports, like this one on Ezviz by Bitdefender, which shows the company is responsive and quick to investigate and fix flaws.

Keeping things secure is not just down to the camera manufacturer. Heiland warns against recycling passwords and strongly suggests picking long, complex passwords (16 to 24 characters) that mix alphanumeric, uppercase, lowercase, and special characters. You can use a password manager to help you keep track. He also recommends setting up security cameras and IoT devices on a network separate from your main computers, laptops, and phones. Most good routers and mesh systems offer guest or IoT network options that allow this.

If you have indoor security cameras, turn them off when you’re home. Look for cameras with shutters and privacy modes, or turn them around, unplug them, or use a scheduled smart plug. Heiland says he would not have a camera in the house but has less of an issue with carefully positioned outdoor security cameras. Just remember that even if you find a system that ticks all your boxes, there’s only so much you can verify.

Wired: Latest News

The Worst Hacks of 2024