Inexpensive cameras with a suitable app are mass-produced. But they all have the same problems.
In the USA, as it became known on Wednesday, hackers have gained access to 150,000 networked surveillance cameras from large companies such as Tesla. Such cameras can also be easily bought by private individuals. The offer is huge. Inexpensive devices are already available for 20 to 40 euros. They all use a similar system: they are connected to the internet and send the images to the cloud. This is practical for users, because they can also access the live image with an associated app when they are on the move.
“This is exactly where the problem lies,” says Johannes Greil, head of the SEC Consult Vulnerability Lab, futurezone. “Using the cloud function of some providers, attackers with a little technical understanding and little effort can access all of these cameras.”
In recent years, therefore, images have increasingly appeared on the Internet. The Russian platform Insecam enables anyone to view live images from unsecured cameras. 325 cameras from Austria are still listed here. Among other things, they show the interior of a workshop, various private gardens and house entrances. There are also reports of hackers who gained access to household cameras and were able to look into children's rooms. Just recently, the cameras of 40 daycare centers had to be switched off because a security gap was discovered.
Insecure systems
The fact that these cameras can be viewed online is often a failure of the respective manufacturer. “Often it is not the camera itself that is attacked, but the access via which the data is recorded,” explains Sebastian Bicchi, founder of SEC Research in a futurezone conversation. This means that not just individual cameras, but hundreds or thousands of users are affected by security leaks. There has been no real improvement over the years, both security researchers confirm.
Well-known manufacturers would now deal much better with security gaps. You have your own teams that take care of finding and correcting critical security gaps and also actively invite external testers to report previously unknown bugs. A few use additional security systems such as end-to-end encryption for data transmission, as is known from messaging services such as WhatsApp.
No absolute protection
Security gaps are usually resolved by updating the software with which the cameras are running. According to Greil, however, one thing is always the case: the respective company whose camera and thus cloud storage is used has access to the data. Therefore, before buying, you should ask yourself how much you trust the respective provider. Therefore, you shouldn't necessarily hang the devices in the bathroom or bedroom.
This makes it clear: no cloud camera offers absolute security. The responsibility to buy a device where the manufacturer tries to protect the data rests with the end user. But there is hope. The ENISA (European Cybersecurity Authority) published guidelines in November that define the minimum requirements for networked devices such as cameras. In Great Britain they go a step further and are working on a law that will lay down requirements for providers in detail.
Be careful when buying
Even if no conventional surveillance camera offers absolute security, there are ways to save yourself a few hassles before buying. So you should primarily deal with the manufacturer whose product you want to buy. “If the provider has only been around for a short time and the product range is similar to the offers of other manufacturers, one should be careful,” explains Thomas Weber from SEC Consult.
Companies that offer cameras as mass-produced goods often do not even have a website and would soon cease to exist. “This is dangerous. You buy the device for years of use, but simply don't get any more support ”. He therefore advises researching carefully how long a company has been offering surveillance cameras before buying.
An Amazon search often spits out a lot of offers that show similar cameras
Known bugs
In addition, one should check which security problems have already occurred in the past and how the company dealt with these problems, advises security researcher Sebastian Bicchi. If you search for the device online, you will usually find reports of known vulnerabilities.
It is also important to clarify how long the desired camera will be supported by the manufacturer. If you buy an older model, it is possible that no more security updates will be installed in the future and the camera will be vulnerable to hackers. “Larger manufacturers deliver particularly critical updates later. But you no longer have a right to it, ”explains Bicchi.
Automatic updates
These updates run automatically depending on the provider. The users then only receive a notification on their smartphone. Other manufacturers do not offer this service and you have to check regularly whether there is new software for the device. Manufacturers who have been around for a long time have accordingly also had experience with security gaps, explains Weber. However, a higher price is not an indicator of the quality of the product: “We saw cameras that one provider sells for 23 euros from other providers for 120 euros,” says Weber.
When you set up your camera for the first time, many manufacturers ask you to change the factory-set password. As with all technical devices and accesses, this should be done in any case.
Own network
Experts agree that the safest option is not to use the cloud. But this requires a basic technical understanding. Here, the camera is only connected to the home network via WLAN, without any data being transmitted outside. The pictures can then only be viewed if you are in this WLAN. A VPN (Virtual Private Network) must be used in order to be able to access them while on the move.
