Invisible eyes: from security concerns to privacy issues

Which are the main security problems of home camera brands according to Google?

1 problem 0 problem 2 problems 3 problems 4 problems Aisoul, Alfred, Apeman, Bay Alarm, Brinks, CacaGoo, Clever Dog, Conico, Crystal Vision, Ctronics, D3D, Deep Sentinel, Dericam, DIVINEEAGLE, Ecobee, EEEkit, Eufy, Frontpoint, Funlux, Imou, iota (abobe), Kamtron, Koogeek, Kuna (maximus), Lambow, Lighthouse, Logitech, Lynx, MI (Xiaomi), Mobicam, Neos netvue, Oco, Ooma, Pawbo, ProtectAmerica, Revo, Revo, Simcam, Somfy, TBI, Tonton, Trendzino (magnum), Wisenet, Woox, Youmeet, Zosi Note: The problems found in this research could have been already solved. Illegal viewing, download, upload or insertion of videos, images and otherpersonal information of users through home security cameras. Type of SecurityProblem Not updated System Hacking into the home security cameras by easily cracking the login details by tracing down their digital footprints. Easy credential access Access to personal information of users who do not change the default login details after purchasing a new home security camera. Default credential problems Using the old resident’s login details by new house residents. Opaque information monitoring Unaware monitering of personal video recordings of users by corporate companies for their own benefit. Unauthorized access to App, Webor System No. of websites where the security problem is mentioned Security problems No information on security problems were found in the following home security camera brands: Netatmo Wansview Lefun Hive Auscrezicon Uniden Night Owl Annke Reolink Canary Zmodo Q-see Sannce Meshare Alarm.com JOOAN Blink August Home Samsung Vivint CP Plus Amazon CloudCam Swann Ubiquiti ADT Xfinity(comcast) YI Wyze Victure ieGeek SimpliSafe Honeywell 1. Any user is able to disclose a password by accessing a specific URL2. Allow remote attackers to create a user account in the admin group Lorex /Flir 1. The FLIR Cloud that allows anyone build a tunnel to any port 2. Vulnerabilities allow remote code execution, unauthenticated viewing of live images, and reveal hard-coded accounts Guardzilla 1. Add additional emails to an account for the camera in the Guardzilla Android app without notifying the primary user2. Easy acces to keys to log in and gain full access to the company’s cloud storage Motorola 1. The private Wi-Fi security key is transmitted unencrypted over an open network2. Allows remote attackers to conduct stack-based buffer overflow attacks via the IPv4Address field 1.Allow local users to generate password-recovery codes via unspecified vectors. 2. Change the password adding more administrators tp-link cam 1. Vulnerabilities in the WPA2 security protocol: that affect some TP-Link products.2. To bypass user web interface authentication using hard-coded credentials D-Link Cam 1. Not encrypted tunneling protocol2. Information access in “mydlink services” web browser plug-in Foscam 1. The ONVIF devicemgmt SystemReboot method allows unauthenticated reboot.2. Easy to hack the username and the password Ring(Amazon) 1. Access of video and audio from the doorbell allows hacker to spy on the homeowner 2. Access to a folder on Amazon’s S3 cloud storage service that contained every video created by every Ring camera around the world. Amcrest 1. Possbility to give access to administrative users into the camera2. Easy to log in into the information3. Old images inside/ unauthenticated memory corruption bug. Arlo LaView Google Nest 1.WiFi default password vulnerability that uses an easily identifiable code2. Users getting locked out of their accounts3. Possible access info old owner information 1. Recent reports of cameras being breached2. Keys can used to log in and gain full access to the company’s cloud storage3. Old owners were able to view snapshots from inside their camera’s new home4. Weave legacy pairing functionality. If exploited by crafted Weave packets, attackers can trigger an out-of-bounds read and subsequent information disclosure Ezviz(Hikvision)

Leaked personal information on the internet without the consent of the owner is a recurrent topic in today’s news. This highlights that the companies behind the clouds have security vulnerabilities. According to our research on Google, 49% of the brands have different kinds of security problems which are divided into 5 major categories.

Main Findings

example of finding

The brand with the problem more repeated on websites is Ring (Amazon), with an ‘Unauthorized access to web, app and system’, in a total of 17 websites. A specific product of the brand, Amazon Cloud Cam, is also in the list of brands with security problems.

From the first search done in this protocol, 90 most common brands appear in Google results. Almost half of them; 44, had at least one security problem or vulnerability that allows a hacker to access the system.

The brand Google Nest has most scandal stories related to privacy. It faces four types of problem categories. Amcrest and Arlo follow next, each with three problem categories.

example of secondary viz, highlighting something

The ‘Easy Credential Access’ shows the cameras that have been accessed because of no or a weak security password to protect the device. It is the second most repeated problem with 20 companies facing it.

Protocol

example of protocol

Data sources

Date of retrieval

Google Search

31/10/2019

Dataset