- Anker’s eufy security cameras may or may not leak unencrypted video streams.
- Home security cameras are almost impossible to trust 100%.
- You can, however, minimize the risks.
What happens when you can't even trust your own security cameras?
Last week, news blew up that reputable gadget company Anker’s eufy security cameras were uploading private data to the cloud and failing to secure video streams. This turned out to be a bit of a stretch, but the whole debacle raises a good point; even if you choose a reliable, reputable brand, how do you know your security cameras won’t leak data or, worse, be hacked to spy on you in your own home?
Last week, security consultant Paul Moore discovered two major security flaws in Anker's eufy home security cameras—specifically a doorbell model. Moore demonstrated that the camera uploaded thumbnails derived from the video stream to cloud storage, even when the camera was set to not upload anything.
And worse, he said that the camera's stream itself could be hijacked just by knowing the URL for the stream.
The best way to ensure that your home automation devices are not sharing data secretly is to do your research before purchasing any devices.
The first "flaw" is a non-story. The cameras can alert owners when they detect something moving and send a thumbnail of the feed to their phones. How could the camera send an image without sending it? It makes no sense.
The second problem is much worse. If true, it allows you to view unencrypted video streams from your camera using a standard video app like VLC. For what it’s worth, The Verge claims this is a real exploit, while Anker strongly denies the claim.
That situation is worth watching, but let's take a step back. Is it even possible to use an internet-connected camera in your home and have it be safe?
The short answer is, of course, "No." If you connect a camera to the internet, there is a risk. A small risk might be a potential hack when you store all footage locally. That increases if you want to access that video from anywhere via your phone. Then we get to video stored in the camera maker's cloud service and cameras that are simply connected to the internet, with known URLs and no passwords or default passwords.
And, unfortunately, it's down to you, the user, to navigate all this nonsense.
“Consumers are susceptible to attacks on the manufacture of the device as well as attacks targeted to you specifically,” Amir Tarighat, privacy expert and CEO of cybersecurity startup Agency, told Lifewire via email. “For example, the Verkada hack last year involved accessing the devices through the company’s network using root access to the cameras themselves. This is always a risk even if you were to protect your home network from attackers ‘listening’ in on devices accessible to anyone accessing the network.”
Step one is to buy from a reputable maker, although, as we've seen previously, that's not always a good guide. Then, make sure you change any default passwords.
"Additionally, there are some steps you can take to further protect your privacy, such as disabling features that you're not using and not sharing your personal information with any home automation devices," says Kann.
Another option for anyone who uses Apple devices is HomeKit Secure Video. This lets you use compatible cameras with Apple’s iCloud storage and enjoy all the security and privacy benefits it brings. You should still disable any extra features the camera allows in its software and/or app, however.
The problem is that gadget makers are forever adding new features to make their wares more attractive to buyers. Rock-solid security doesn't look as good on the packaging while requiring ongoing investment to keep it secure.
At the same time, insufficient government regulation in this category and the temptation for makers like Amazon to use your video for its own purposes mean it’s hard to trust anyone.
So, essentially, if you do want a camera in your home, just try to be careful out there.