Monday, December 23, 2024

Yes, Your Home Security Cameras Can Be Hacked

But there are ways to prevent it from happening. Here’s how.

Installing an internet-connected security camera in your house won’t necessarily bring a wave of hackers to your Wi-Fi network — but it also has happened before. For example, in 2020, an ADT home security customer noticed an unfamiliar email address connected to her home security account, a professionally monitored system that included cameras and other devices inside her home. That simple discovery, and her report of it to the company, began to topple a long line of dominoes leading back to a technician who had spied, over the course of four and a half years, on hundreds of customers — watching them live their private lives, undress and even have sex.

ADT says it has closed the loopholes that technician exploited, implementing “new safeguards, training and policies to strengthen … account security and customer privacy.” But invasions of privacy are not unique to ADT, and some vulnerabilities are harder to safeguard than others.

Whether you’re using professionally monitored security systems such as ADT, Comcast Xfinity or Vivint, or you just have a few stand-alone cameras from off-the-shelf companies like RingNest or Arlo, here are a few practices that can help protect your device security and data privacy.

Is my home security system at risk for hacking?

Before jumping into solving the problems of device insecurity, it’s helpful to understand how vulnerable your devices really are.

Major professionally monitored security systems — and even individually sold cameras from reputable developers like Google Nest and Wyze — include high-end encryption (which scrambles messages within a system and grants access through keys) almost across the board. That means as long as you stay current with app and device updates, you should have little to fear of being hacked via software or firmware vulnerabilities.

Likewise, many security companies that use professional installers and technicians have strict procedures in place to avoid precisely what happened at ADT. The Security Industry Association — a third-party group of security experts — advises manufacturers such as ADT on matters relating to privacy and security.

“The security industry has been paying attention to [the issue of privacy in the home] since 2010,” said Kathleen Carroll, chair of the SIA’s Data Privacy Advisory Board, “and we continue to work to help our member companies protect their customers.”

Some professionally monitored systems, such as Comcast and now ADT, address the problem by simply strictly limiting the actions technicians can take while assisting customers with their accounts — for instance, disallowing them from adding email addresses to accounts or accessing any recorded clips.

“We have a team at Comcast dedicated specifically to camera security,” a Comcast spokesperson said. “Our technicians and installers have no access to our customers’ video feeds or recorded video, which can only be accessed by a small group of engineers, under monitored conditions, for issues like technical troubleshooting.”

“Only customers can decide who is allowed to access their Vivint system, including their video feeds,” a spokesperson for home security company Vivint said. “As admin users, they can add, remove or edit user settings. And … we regularly conduct a variety of automated and manual audits of our systems.”

Recommended:  Segway website hacked and infected with payment card skimmer

With DIY systems, customers set up their own devices, making technician access a moot point. But if customers opt into additional monitoring, which is often offered alongside individual products, that may complicate the issue.

One such company, Frontpoint, said in an email that it tightly constrains personnel access to customer information, disallowing, for instance, agents from watching customer camera feeds — except in particular, time-boxed cases where permissions are obtained from the customer, for the purpose of troubleshooting or other types of assistance.

A representative of SimpliSafe, another developer straddling the line between DIY and professionally installed home security, responded more broadly to questions about its procedures: “Much of our day-to-day work is focused on maintaining our systems so that vulnerabilities are immediately identified and addressed. This relentless focus includes both internal and external security protocols.”

In short, security companies appear to be consciously using multiple levels of security to protect customers from potential abuse by installers and technicians — even if the processes by which they do this aren’t entirely transparent. But even if they’re effective, that doesn’t mean your smart cameras are totally secure.

How could hackers access my home security cameras?

The ADT case didn’t technically require any hacking on the part of the technician, but what if hacking is involved? There are plenty of cases of remote hacks, after all. And even quality devices with high levels of encryption aren’t necessarily safe from hacking, given the right circumstances.

There are two primary ways a hacker can gain control of a video feed, security expert Aamir Lakhani of FortiGuard told CNET: locally and remotely.

To access a camera locally, a hacker needs to be in range of the wireless network the camera is connected to. There, they would need to obtain access to the wireless network using a number of methods, such as guessing the security passphrase with brute force or spoofing the wireless network and jamming the actual one.

Within a local network, some older security cameras aren’t encrypted or password-protected, since the wireless network security itself is often considered enough of a deterrent to keep malicious attacks at bay. So once on the network, a hacker would have to do little else to take control of the cameras and potentially other IoT devices around your house.

Local hacks are unlikely to affect you, though, as they require focused intent on the target. Remote hacks are the far more likely scenario, and examples crop up fairly often in the news cycle. Something as common as a data breach — such as those at Equifax or Delta — could put your login credentials in the wrong hands, and short of changing your password frequently, there’s not much you could do to prevent it from happening. 

Even if the security company you use — professionally monitored or otherwise — has strong security and end-to-end encryption, if you use the same passwords for your accounts as you do elsewhere on the internet and those credentials are compromised, your privacy is at risk. (If you don’t already, you should definitely start using a password manager to keep track of all of your strong, unique passwords.) 

And if the devices you use are dated, running out-of-date software or simply products from manufacturers that don’t prioritize security, the chances of your privacy being jeopardized rise significantly. 

For hackers with a little know-how, finding the next target with an unsecured video feed is only a Google search away. A surprising number of people and businesses set up security camera systems and never change the default username and password. Certain websites, such as Shodan.io, display just how easy it is to access unsecured video feeds such as these by aggregating and displaying them for all to see.

Recommended:  Patch Tuesday, November 2022 Election Edition

How to know if your cameras have been hacked

It would be almost impossible to know if your security camera — or perhaps more unnervingly, baby monitor — has been hacked. Attacks could go completely unnoticed to an untrained eye and most people wouldn’t know where to begin to look to check.

A red flag for some malicious activity on a security camera is slow or worse than normal performance. “Many cameras have limited memory, and when attackers leverage the cameras, CPU cycles have to work extra hard, making regular camera operations almost or entirely unusable at times,” said Lakhani.

Then again, poor performance isn’t solely indicative of a malicious attack — it could have a perfectly normal explanation, such as a poor internet connection or wireless signal.

How to protect your privacy at home

While no one system is impervious to an attack, some precautions can further decrease your odds of being hacked and protect your privacy in the case of a hack.

Another important step is simply avoiding the conditions for an invasion of privacy. Hacks are unlikely and can be largely avoided, but keeping cameras out of private rooms and pointed instead toward entryways into the house is a good way to avoid the worst potential outcomes of a hack.

Lakhani also suggested putting stand-alone security cameras on a network of their own. While this would doubtless foil your plans for the perfect smart home, it would help prevent “land and expand,” a process by which an attacker gains access to one device and uses it to take control of other connected devices on the same network.

Taking that one step further, you can use a virtual private network, or VPN, to further restrict which devices can access the network the security cameras are on. You can also log all activity on the network and be certain there’s nothing unusual happening there.

Again, the chances of being the victim of an attack like this are quite small, especially if you follow the most basic safety precautions. Using the above steps will provide multiple layers of security, making it increasingly difficult for an attacker to take over.

Known Bad Brands – Brands that lack adequate security policies

As a rule of thumb, brands that are not well-known outside of the online market should be avoided at all costs. Affordable CCTV solutions from Shenzhen-based factories in China sometimes fail to meet wireless safety standards.

Brands that have been proven to have continuous underlying issues, and that you should ultimately avoid are; ieGeek, Sricam, SV3C, and Vstarcam. All come with a friendly price tag, but they are quick to join the list of CCTV cameras that risk your privacy and security.

SEE ALSO:

“Cheap CCTV systems show that they fail to prioritise customers’ security even those that are bestsellers in online marketplaces”

Home security system FAQs

Do I have to sign a contract for home security?

Contracts are sometimes required for professional home monitoring or to qualify for free equipment, so service from home security providers like ADT, Vivint and Xfinity may include one. That said, it’s usually possible to avoid contracts if you pay upfront — and other home security companies like Ring, SimpliSafe and Wyze offer DIY home security solutions that never require one.

Recommended:  Ransomware is hitting one sector particularly hard, and the impact is felt by everyone

What’s the best home security camera system for your home?

Arlo, Nest and Wyze cameras are our top picks for the best home security cameras, but the best one for your home depends on your needs. Be sure to consider price, Wi-Fi connectivity, indoor/outdoor functionality as well as compatibility with other smart home devices and security services when choosing.

How do I set up a home security system?

Some home security systems come with professional installation, so you can rely on the company to install and set up your system. Others, including many DIY systems, may require self-installation and setup. These systems should come with detailed instructions, and they’re often easy to set up. In most cases, you can simply place or mount the devices where desired, then connect them to your Wi-Fi and other smart home devices (if compatible) via app.

What’s the difference between a wired and wireless alarm system?

In a home security context, there are two ways to look at “wired” vs. “wireless.” The first is power — home security systems require electricity to operate, so in that context, a wired system would be one with devices that plug into power, and which rely on your home’s electricity to function. A fair number of current-gen systems use wireless, battery-powered sensors and battery backups for the base stations that will keep the setup running if the power ever goes out — you can think of those systems as “wireless” as far as electricity is concerned.

The second way to look at wired vs. wireless concerns connectivity. Every home security system needs to be able to notify you when there’s a problem and alert the authorities when there’s an emergency. It used to be that systems would notify you with the sound of the alarm, and contact authorities with a wired connection to your phone line, but most current-gen systems can also notify the user of issues with a push alert on their phone, and some will use an internet connection to contact the professionals during an emergency.

Even then, we’d still consider the system to be “wired” if you can stop it from operating by cutting your home’s internet signal. That’s why a growing number of systems include built-in cellular connectivity as a backup. Even if the Wi-Fi goes out (or if a tech-savvy intruder disables it), a system like that will still be able to notify you and the authorities of an emergency by way of that cellular connection. Systems like those are “wireless” in the connectivity sense — and if they double down with a battery backup as well, then they’re as wireless as home security gets.

Suggest an edit to this article

Cybersecurity Knowledge Base

Latest Cybersecurity News

Cybersecurity Academy

Homepage

source

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for our Weekly Cybersecurity Newsletter Today.

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.
Bookmark
Please login to bookmarkClose
Share the word, let's increase Cybersecurity Awareness as we know it
- Sponsored -

Sponsored Offer

Unleash the Power of the Cloud: Grab $200 Credit for 60 Days on DigitalOcean!

Digital ocean free 200

Discover more infosec

RiSec.Mitch
Just your average information security researcher from Delaware US.

more infosec reads

Subscribe for weekly updates

explore

more

security