Home security cameras promoted and sold by Amazon come with “huge” security flaws, according to a new report.
Worryingly, thousands of children are at risk as the Chinese made cameras are often marketed as baby monitors, according to a new report by Which?
The devices claim to provide safety for families and their babies, but instead, they could be potentially exposing them to danger.
The connection between the cameras and the Wi-Fi could be intercepted by hackers and criminals could access and control the cameras.
According to the report, around 50,000 security cameras in the UK and 2 million worldwide may be affected.
Unwanted intrusions through so-called Internet of Things devices have included hacked baby monitors, which have been used to spy on sleeping children.
The report warns that there is evidence that a catalogue of security flaws including weak passwords could be used by cyber criminals.
The consumer watchdog tested several models including the ieGeek 1080p, the Sricam 720p, the Victure 1080p and the Vstarcam C7837WIP which market themselves as providing safety to families and babies.
However, they found serious security issues with the cameras which have thousands of positive customer reviews on Amazon’s website – so much so, that some even carry a coveted Amazon’s Choice’ recommendation.
Amazon Choice labels denote a popular item sold through the online retailer and are typically the top result when searching for an item using the Alexa voice assistant.
The Independent reported that reviews posted to Amazon revealed incidences where buyers claimed strangers had spied on them through the security cameras.
“Someone spied on us. They talked through the camera and they turned the camera on at will. Extremely creepy,” one reviewer wrote about a Victure wireless security camera, which has a 4.4-star rating on Amazon.
The reviewer claimed that three different people experienced it and that Amazon was informed, however the camera continues to be sold.
Which? researchers found that the ieGeek 1080p and Sricam 720p cameras share an app and inbuilt security flaw.
WiFi passwords were sent unencrypted over the internet when someone claiming to be the user requested them.
This means that a cyber-criminal sitting in a parked car outside or even in a room in a different country could access and control the cameras.
A worried Amazon reviewer of the ieGeek baby monitor wrote: ‘Do not buy this camera.
‘There are serious security flaws with the software and the camera itself…. I thought all was fine until someone started speaking through the camera two nights in a row.
‘If you do have one, be very careful about what it can see!’
Another reviewer of the same camera complained: ‘Strangers were viewing my family and speaking to us through the mic. Horrible Experience.
‘One evening the camera moved on its own and someone spoke to us, this was extremely unsettling… Was a horrible feeling knowing people had been viewing our everyday lives.’
The consumer group also found that it was ‘worryingly simple’ to gain root access to the Victure 1080p, which means having the ability to connect to, control and monitor a device as an administrator, so giving a hacker complete control of the camera.
Researchers were able to recover the username and password for the administrator account for the Vstarcam after carrying out simple online checks.
A hacker armed with this information would be able to completely control the camera’s settings.
The Mail Online reported that increasingly, household appliances, products and services, including everything from home cameras to lighting, heating, washing machines and dishwashers, will connect to the web in this way, becoming part of the Internet of Things.
Consumer rights expert at Which?, Adam French, said: ‘There appears to be little to no quality control with these sub-standard products, which risk people’s security yet are being endorsed and sold on Amazon and finding their way into thousands of British homes.
‘Amazon and other online marketplaces must take these cameras off sale and improve the way they scrutinise these products.
‘They certainly should not be endorsing products that put people’s privacy at risk.
‘If they refuse to take more responsibility for protecting consumers against these security-risk products then the government should look to make them more accountable.’
Amazon devices themselves have previously been activated when they’re not wanted – meaning the devices could be listening.
Millions of consumers are reluctant to invite the devices and their powerful microphones into their homes out of concern that their conversations are being heard.
Amazon devices rely on microphones listening out for a key word, which can be triggered by accident and without their owner’s realisation.
Wai Man Yau, vice president of security specialists Sonatype, told The Independent: “The revelation that more than 50,000 internet-connected cameras sold by Amazon and other retailers could have critical security flaws will send a shiver down the spine of consumers, but this is only the tip of the iceberg.
“Everyday thousands of vulnerable software components are built into a wide range of devices, and this isn’t limited to unknown brands lurking on Amazon… Manufacturers, retailers, governments and consumers all need to be educated about the risks and work together to secure our increasingly connected world.”