Botnet threat: 100,000 wireless cameras in UK vulnerable to hackers

News by Andrew McCorkell

More than 100,000 wireless active cameras in UK businesses and homes may be vulnerable to hackers due to a combination of security flaws, an investigation has found.

Wireless cameras that use the CamHi app such as popular marketplace brands Accfly, ieGeek and SV3C, might be allowing someone to spy the users home, an investigation by Which? Has found.

An attacker could spy on homes, steal data and target other devices, the investigation has found.

Dr Kiri Addison, head of data science for threat intelligence and Overwatch at Mimecast said: "IoT devices can provide attackers with an easy route into your home network. With many of us working from home now, this poses an increased risk to businesses, due to the opportunity for an attacker to more easily move from an employee's personal network to their employer's.

"Apart from gaining access to the network, internet enabled security cameras can be exploited in a number of other ways, including shoulder surfing to gain information such as credentials, monitoring victims and collating information that can be used to create convincing phishing attacks and cameras with microphones can be used to spy on meetings and gain sensitive information."

Addison added that these increased threats require businesses to provide their workforce with awareness training on a regular basis, to ensure best practice is followed and staff are vigilant.

Jake Moore, a cybersecurity specialist at ESET said: “The massive growth in IoT devices placed in the home and office is the perfect opportunity for cybercriminals to make money from particular types of malware. IoT devices are far too often packaged up with weak (if any) built-in security features, so the public are on the back foot from the outset. Security updates also tend to be infrequent which puts further risks on the owner.

"Updates and 2FA are critical but you may need to ask yourself if you really need your security camera online 24/7. If the cameras still record on the premise, they may not need to be online at all, preventing the risk of an attack altogether.”

Around 12,000 have been activated in UK homes in the last three months, with many still available to buy online.

The National Cyber Security Centre (NCSC) published guidance in March 2020 on safeguarding privacy and security when using a wireless camera.

Boris Cipot, senior security engineer at Synopsys, said: "We use IoT devices and its technology as if it is already matured. Yet, we, as users and consumers of this useful and exciting technology, need to realise that it is still evolving.

"It has not yet reached the maturity level needed to serve the masses with stability and most importantly, security. We need to proactively verify that our devices are secure. Hopefully, in the future, security will be not only built-in but also mandatory before a device can hit store shelves."

Cipot said that the introduction of a standard such as the UK legislation on IoT cybersecurity can help in providing the needed oversight, stability as well as transparency when it comes to creating processes and protocols during product development.

He added: "It also allows for the identification of any missteps, and to adapt, evolve and mature the technology to its best and, in this case, safest version.

"This is an important step when talking about a technology that can, on one hand, be highly advantageous, but also threatening."

Which? Worked with Paul Marrapese, a US-based security researcher, to identify more than 3.5 million cameras around the world that are still at risk. Most of the cameras are in Asia, but more than 700,000 are active across Europe, with more than 100,000 in the UK.

The design of the cameras and the software means a hacker could potentially access the video stream of a camera or microphone, steal or change a password, access the home location or add a camera to botnet.

The brands that have potentially vulnerable cameras include Alptop, Besdersec, COOAU, CPVAN, Ctronics, Dericam, Jennov, LEFTEK, Luowice, QZT and Tenvis.  But according to Which? any wireless camera that uses the CamHi app with a specific type of Unique Identification Number (UID) could be compromised.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews