IP CCTV Camera: Privacy and Security Risk
The smart home is on everyone’s lips. Whether remote-controlled light bulbs, heating controls or smoke detectors – everything should be digitized and made easier. As useful as these features are, they can be dangerous to privacy and security. This applies in particular to IP CCTV camera (network cameras), which enable us to access the recordings from anywhere at any time.
Is an IP camera easy to hack? Not the only potential risk
Many believe that they gain security by always using an IP camera to see what is happening around or in their house. Be it on vacation or on the go. As soon as something happens at home, you will either be notified or you will take a quick look to make sure that everything is still in order and to be able to sleep peacefully.
Of course, you are of the opinion that you are the only one who can access the recordings or the live stream of the surveillance camera. But by no means – there are always reports that third parties are gaining unauthorized access. A recently published article by The Intercept shows that one should not only think of hackers as potential attackers of the IP camera. In addition, they are interested in such intimate insights:
- The manufacturer’s employees,
- or state institutions.
A live feed of the surroundings – and perhaps also from inside the house – with high resolution is sure to arouse desires. The article reports on popular IP cameras that have found many friends, especially on Amazon. These can be controlled with Alexa, among other things, and the images can be viewed at any time on the PC, mobile phone or tablet. A great feature in itself – if only there weren’t some allegations in the room.
Employee access to video files from the surveillance camera
Apparently, the manufacturer (s) allegedly gave a Ukrainian research and development team virtually unhindered access to the folder on Amazon’s S3 Cloud Storage Service, which contained all of the videos created by each of the manufacturer’s individual IP cameras. This would result in a huge list of highly sensitive files that can be easily searched and viewed. Downloading and sharing these customer video files would have taken just a few clicks. The background to this should be the further development and improvement of artificial intelligence in the automated evaluation of image material at Amazon.
As a recent study by the American National Institute of Standards and Technology (NIST) showed, the algorithms from Microsoft and the Chinese company Yitu Technology are said to be leaders in facial recognition. In this respect, the other big players, like Google or Amazon, naturally want to do their homework too.
As if the access to the files were not already questionable enough, the video files of the surveillance camera are said to have been stored unencrypted due to the costs of implementing an encryption and possibly endangered sales. In addition, a corresponding database was made available to the team with which each individual video file could be assigned to a customer. At the same time, highly privileged US executives and engineers appear to have also been given access to the company’s technical support video portal. This should have enabled access to unfiltered live feeds from some customer cameras around the clock. For these “chosen ones” only the customer’s email address was required in order to be able to access the surveillance camera.
Opportunity makes thieves
Under these circumstances, only the email address (of a reporter, member of the government or the neighbor) would have been necessary to gain insight into a living room. That such data is easy to find out – if it has not already been made public – was only big in the media last week and the starting point for a blog post on the subject of risk management in a hacker attack.
In addition, the procedure shows a general problem: If someone has access to data, he or she will possibly use it for his own purposes. No matter how good a company’s policies and internal guidelines are, every single user should be aware of the risks. When choosing a provider, you should pay attention to data security and consider which data you want to share.
Many manufacturers have no idea where and in what way any recordings will be saved. If you are price-conscious, you often end up with a Chinese provider who offers a large scope of services at (apparently) low costs. Some people don’t really care that the data may be stored unencrypted somewhere on a (Chinese) server and that the manufacturer and possibly also suppliers, app programmers and governments have access to this data – from hackers completely silent.
But how should you protect yourself and your IP camera?
It is of course best not to use an IP camera. Since this should not be an option for many, one should at least make sure that the network camera is not installed in the most intimate privacy area (e.g., bedroom) and that its use is limited to a minimum. It should therefore be considered to only use the surveillance CCTV camera if this is considered essential and nobody is in the apartment.
In addition, attention should be paid to the selection of the provider of the network camera and content-encrypted storage, if this is announced by the manufacturer at all.
The “basics” of IT security must also not be disregarded:
- Change the default password and settings
- Use only sufficiently strong passwords
- Check and install security updates and patches regularly
- Use of a firewall
- Deactivate plug and play functions
- If possible, use a Virtual Private Network (VPN)
Alternative: IP-Camera in the Private-Cloud
But you can think about a private cloud solution, in which the data from the network camera is encrypted and only stored locally on your own server and not in the provider’s cloud. On the one hand, this is of course not so convenient and also requires sufficient understanding to keep your own system secure. On the other hand, it gives you more control and may represent a less lucrative target for an attacker, because the more data he can access, the more worthwhile his effort.