The owners of the vulnerable indoor cameras are advised to unplug the devices immediately.
Around 3.5 million security cameras installed in homes and offices mainly in Asia and Europe have serious vulnerabilities that expose the gadgets’ owners to the risk that attackers will spy on them, steal their data or target other devices on the same networks, the United Kingdom’s consumer watchdog Which? has warned.
“Brands with potentially vulnerable cameras include Alptop, Besdersec, COOAU, CPVAN, Ctronics, Dericam, Jennov, LEFTEK, Luowice, QZT, and Tenvis,” says Which?, adding that any wireless camera using the CamHi app and sporting a certain type of Unique Identification Number (UID) could be susceptible to a hack. Some 700,000 of the cameras are in use in Europe, including 100,000 in the UK.
These gadgets use peer-to-peer (P2P) features, which allow users to connect to their devices instantly when they come online. The vulnerabilities, indexed as CVE-2019-11219 and CVE-2019-11220, involve iLnkP2P, a P2P solution developed by Shenzhen Yunni Technology Company. If exploited, the loopholes can allow attackers to bypass firewalls and steal passwords.
The consumer watchdog believes that as many as 47 wireless camera brands worldwide may potentially have these flaws. The full list of vulnerable gizmos is available on this site run by Paul Marrapese, an American security engineer who uncovered the issues.
If own such a camera and it is hijacked, cybercriminals could access the live footage and spy on your home or office, as well as communicate with people around if the camera has a microphone. They could also use the camera to pinpoint your exact location, target other devices on your home network, or even add your camera to an online botnet.
Although changing the default password would normally lower the chances of the camera being compromised, in this case it will not help. “In effect, there’s nothing you can do to protect against the flaw,” said Which?. The consumer advocacy organization recommended that anyone who owns the vulnerable camera and uses the CamHi app should remove it from their network and turn it off.
Related reading: These things may be cool, but are they safe?
HiChip, the company that produces many of the camera brands and developed the CamHi app, is working together with Which? and Marrapese on improving the security of its cameras. “HiChip has focused on IP camera R&D for more than 10 years and continues to improve the security of the cameras,” said a HiChip spokesperson.
In fact, Which? raised the alarm about the security issues last October. The gizmos can still be bought on Amazon, eBay, Wish.com, and AliExpress and continue to be in use around the globe.
Speaking of security issues in connected security cameras, ESET researchers themselves have uncovered a vulnerability in D-Link cameras that would allow attackers to tap into the video stream.