The Hong Kong Consumer Council tested the cyber security of ten home surveillance cameras on the market and found that only one model complied with the European cyber security standard. At the same time, the other nine posed various cyber security concerns, including the transmission of videos and data without encryption and failure to defend against “brute-force attacks” by hackers to crack passwords.
In addition, the security of user data storage could have been improved in many apps, with half of the tested models able to access the user files stored in intelligent devices through Android apps. Some apps even requested excessive permission.
The Council urges manufacturers to improve the cyber security of products, such as introducing anti-brute-force attack designs and data encryption of video and data.
Consumers should also set strong passwords for their surveillance cameras and change them regularly and make good use of firewalls and network monitoring functions.
The ten models of home surveillance cameras tested were priced between $269 and $1,888, all providing two-way audio, motion detection, night vision, Amazon Alexa, and Google Assistant voice control. The models tested were from Arlo, Xiaomi, Imou, TP-Link, BotsLab, Eufy, EZVIZ, SpotCam, D-Link, and Reolink.
In addition, the Council commissioned an independent laboratory to test the cyber security and hardware design of these ten models with reference to the European Standards ETSI EN 303 645 and the industry-standard OWASP MASVS.
Among the ten surveillance cameras, Arlo has the highest total score of four out of five, with five marks for protection against attack, security of data transmission and apps, and hardware design, but three marks for the security of data storage and the highest price of $1,888 in the sample.
The other nine models have a micro-SD memory card slot, which can be inserted to save videos.
5 Models Do Not Have Encrypted Data Transmission
The Council said that live video streaming to mobile devices through the app allows users to keep track of the real-time status.
Four models tested did not use Secure Real-Time Transport Protocol (SRTP) in live streaming, which could provide data encryption and message authentication. Instead, they used the less secure and unencrypted Real-Time Transport Protocol (RTP).
By Rita Huang, Danny Tang and Nathan Amery