Nine out of 10 home surveillance cameras on the market in Hong Kong failed to meet European cyber security standards, the city’s consumer watchdog has found.
The Consumer Council on Wednesday released its findings on 10 models of home surveillance cameras that cost between HK$269 and HK$1,888. Only the model from American brand Arlo – which was also the most expensive sampled – complied with the global requirements set out by the European Telecommunications Standards Institute.
Cameras from Arlo, Chinese brands Xiaomi, Imou, TP-Link, BotsLab, Eufy, and EZVIZ, Taiwanese brands SpotCam and D-Link and Hong Kong brand Reolink were tested by an independent laboratory commissioned by the watchdog on protection against cyber attacks, security of data transmission and apps, security of data storage and hardware design.
According to the council, cameras from Imou, TP-Link, EZVIZ and D-Link used the non-encrypted Real-time Transport Protocol – a way of transferring audio and video – to stream surveillance videos to a mobile device, which would allow hackers to easily access the footage.
Security flaws were also found in Reolink’s camera, which adopted the Hypertext Transfer Protocol for data transmission via the user’s WiFi network, meaning sensitive information was sent without encryption.
The test revealed that hackers could run automated “brute-force attacks” on cameras from Eufy, EZVIZ and D-Link to crack the user’s password, with the latter two using only six digits or characters for the default passcode.
The model from SpotCam, on the other hand, allowed unlimited login attempts, which enabled hackers to “repeatedly try to steal account information,” the council said.
“[T]he password strength of [SpotCam] is extremely weak and easy for hackers to crack and steal videos,” the watchdog said.
The council called on manufacturers to introduce multi-factor authentication, limit login attempts and lock the account automatically following unsuccessful logins from the same IP address within a short time period. They should also set longer and more complicated default passwords to enhance cyber security, it said.
Surveillance camera users were supposed to receive a temporary password, also known as a session key, for encryption and decryption when they logged in and connected to their devices. The interim key should expire after users logged out, but the watchdog found that cameras from BotsLab, SpotCam and Reolink allowed the code from the previous session to remain valid.
“If a hacker successfully stole the old session key, they could connect into the camera and pry into a room’s video,” the watchdog said, adding that Reolink’s device even allowed people to watch the live surveillance video after they logged out.
All 10 cameras tested showed inadequacy in the security of their in-app data storage, the Consumer Council said, with sensitive information such as email addresses, account IDs and passwords being saved as plain files with no encryption.
The mobile apps for use with cameras from Xiaomi, Imou, BotsLab, Eufy and EZVIZ also demanded “excessive permission” from users, the council said, including asking for access to the device’s calendar and account information, which may lead to data leaks.
The council reminded the public not to purchase a surveillance camera without a brand name or from unknown sources. They should create a strong password of no fewer than eight characters consisting of upper and lower case letters, numbers and special symbols, it said.
The surveillance cameras should only be switched on when monitoring was needed, the watchdog advised, while users should never use public devices to log into their account to avoid their personal data being stolen.
Users were also reminded to make use of firewalls, network monitoring and activity logs, and told to perform frequent checks to spot suspicious activities. The firmware of the cameras should be updated regularly to ensure security vulnerabilities were fixed, it said.
It added that domestic workers should be informed if any surveillance cameras were installed at home, while employers should consider whether such monitoring was necessary and reasonable, and consider other less privacy-intrusive options.
Help safeguard press freedom & keep HKFP free for all readers by supporting our team
Support press freedom & help us surpass 1,000 monthly Patrons: 100% independent, governed by an ethics code & not-for-profit.