Key Takeaways
- Data breaches like Wyze’s are due to third-party issues, not user errors.
- Use best practices like unique passwords and 2FA to protect smart cameras.
- Privacy features can be remotely manipulated.
When Wyze cameras rebooted after an outage last month, around 13,000 users received thumbnails of footage from someone else’s home. It wasn’t the first time the company, known for its affordable security cameras, apologized for a privacy breach, nor was it the first time an error allowed users to see camera footage that wasn’t theirs.
Wyze is far from alone in its headline-generating errors. From an Amazon employee who accessed female users’ videos to the ADT employee who admitted to breaking into more than 200 accounts, privacy breaches are a real risk with smart home cameras. But is there anything smart homes can do to continue powering features like motion-activated lights, package notifications, and security alerts? Or, does the latest scandal suggest the best approach is to throw out smart cameras entirely?
In the case of Wyze’s latest security breach, data wasn’t accessed through bad passwords or even by sophisticated hackers.
While there are best practices that smart homes can utilize to better protect data, even the most rigid privacy rituals may not prevent privacy breaches. In the case of Wyze’s latest security breach, data wasn’t accessed through bad passwords or even by sophisticated hackers. According to the company, a third-party caching library mixed up device IDs and user IDs, sending the wrong data to accounts.
Is it time to throw out smart cameras?
The Wyze breach could not have been prevented by the users themselves. Dr. TJ OConnor, PhD, the Cybersecurity Program Chair at Florida Tech and the co-author of several research studies on IoT security, explained to us that while the connection to cloud servers was encrypted, the files themselves were not.
As consumers, we have little to no transparency how and where our videos are being stored. All the content is stored in the cloud on content delivery network servers.
It’s a fairly common approach, he said, because the “encrypted at rest” option causes performance and usability issues. Dr. OConnor explained the ins-and-outs clearly to us below:
The Wyze issue represents a greater problem for security camera vendors. As consumers, we have little to no transparency how and where our videos are being stored. All the content is stored in the cloud on content delivery network servers. In the case of Wyze, it appears they store unencrypted video clips and thumbnails on AWS content delivery servers. Failing to encrypt the data is the underlying issue here. This could allow a malicious insider to view the videos. Or in the case here, a technical glitch could inadvertently present our unencrypted videos to other consumers.
In a study OConnor co-authored last year, researchers theorized that the demand for inexpensive smart cameras created numerous grossly unsecured devices. All five of the under-$100 security cameras studied by Kangaroo, NightOwl, and Geeni had insufficient security software, the researchers found, including missing encryption.
Is it time to throw out smart cameras? For the most privacy-conscious, the answer may be yes — after all, only Wyze could have prevented the latest breach, not the end user. However, with cameras being an integral part of many smart home devices, including robot vacuums and smart refrigerators, going camera-free isn’t for everyone.
In fact, after all his research on IoT security flaws, OConnor himself still outfits his residence with doorbell cameras, voice assistants and other smart devices. While he stresses that there are no guarantees of security, utilizing best practices like a separate wireless network and strong passwords can prevent some potential breaches.
Best smart security camera: Top models from Ring, Arlo, and Nest
The best smart security cameras monitor your home’s interior and exterior using 3D motion alerts, night vision, and even Alexa integration.
As for users of Wyze, the past breaches may prove one too many for some customers to stick with the brand. However, OConnor notes that Wyze self-reported the latest breach rather than attempting to hide or deny the error, and when his previous research in 2019 flagged potential issues, the company implemented several changes, including a bug bounty program.
No smart camera carries a guarantee of privacy, as anything in cloud storage has potential vulnerabilities, but implementing a few best practices can prevent some types of ill-gained access.
Never place security cameras in private rooms
The first rule of outfitting a smart home with any camera-equipped device is to leave those gadgets out of private spaces. In the Federal Trade Commission’s complaint against Ring, for example, an employee accessed videos of female users from cameras named after spaces such as bedrooms and bathrooms. If you absolutely must have a smart assistant as an alarm clock or need to jam out with a smart speaker in the shower, choose models that do not have a built-in camera.
If you absolutely must have a smart assistant as an alarm clock or need to jam out with a smart speaker in the shower, choose models that do not have a built-in camera.
Keeping cameras out of bedrooms, of course, isn’t always possible with video baby monitors. If you’ve decided that the privacy risks are worth the peace of mind to both see and hear your child, place the camera so that only the sleeping area is in view and any changing areas are excluded from the footage.
Disable indoor cameras while you are home
Most cameras designed for security or pet cams are unnecessary once you arrive back home — in which case, disabling the cameras when home can be a good idea. If pulling out the app every time you arrive home sounds bothersome, in many cases, you can ask a voice assistant like Alexa to disarm your smart cameras.
Geofencing can automatically arm and disarm those cameras, but that also carries its own privacy risks. Using the location of your smartphone, geofencing will turn off your cameras when you arrive home automatically. Besides eliminating the annoyance of receiving a notification when you walk in front of your own camera, this feature also means there are fewer videos of yourself to potentially wind up on the wrong side of a privacy breach.
OConnor recommends restricting all sharing permissions to the bare minimum, which would mean leaving geofencing features off.
However, this is a double-edged privacy sword. Geofencing requires allowing the smart home app to access your smartphone’s location at all times, which, at best, means you’ll probably be seeing more location-based targeted advertising. OConnor recommends restricting all sharing permissions to the bare minimum, which would mean leaving geofencing features off.
Understand that many privacy features can be remotely disabled.
Any privacy features you can control through a smart home app can potentially be disabled by hackers. Smart home users should keep this in mind when setting up any camera-equipped device. For example, if someone manages to access your account, they could turn off geofencing.
In OConnor’s 2023 study on security risks with budget cameras, for example, the researchers found that a privacy mode on a Kangaroo Privacy Camera that blurred the lens view by activating a liquid crystal lens had a firmware vulnerability that could allow the privacy feature to be manipulated.
Physical privacy features, such as the camera cover on many Alexa Show models, are harder for bad actors to manipulate. Only someone who is physically present can remove the physical privacy cover.
Use a unique, complex password
When setting up a smart home system, never reuse an existing password you’ve set for a different account. Using a complex password — a series of randomly generated letters and numbers is harder to hack than those using common words or easily recalled numbers like birthdays and addresses. A password manager can make the task of creating unique and complex passwords for all your online accounts easier.
Always use multi-factor authentication
Always turn on two-factor authentication for smart home devices. If someone attempts to access your account, in most cases, you’ll receive a notification and can prevent access, then change your password.
What is two factor authentication and why should you use it? Plus how to enable for Apple, Google and more
How to enable two-factor authentication on all your favourite devices and services
Use an isolated wireless access point for all IoT devices
OConnor recommends using a separate wireless access point for any smart home devices. Partitioning your Wi-Fi network, such as creating a VLAN or splitting your router into 2.5Hz and 5Hz networks, allows your smart devices to use a separate W-Fi password. This is especially important if you give your usual Wi-Fi password to house guests.
Restrict sharing permissions
Smart home devices carry more risks than just the camera feeds falling into the wrong hands. Limit your smart home apps to only the minimum required permissions, OConner suggests. For example, restrict access to location services.
Using cloud-connected smart cameras will always carry some level of risk. However, using best practices like strong passwords and a separate Wi-Fi network, you can reduce the chances of your footage ending up in front of the wrong eyeballs.
FAQ
Q: Can smart cameras be hacked?
Any cloud-connected device carries potential privacy risks, including smart cameras. While best practices like strong passwords, a separate Wi-Fi network, and two-factor authentication will help prevent many types of hacks, no smart camera is 100% immune. For this reason, smart cameras should never be placed in private rooms.
Q: Can you tell if your security camera has been hacked?
Some studies have uncovered potential weaknesses that would prevent a user from realizing that their data has been compromised. A 2021 study by the Florida Institute of Technology examined 20 popular smart home devices and found security vulnerabilities could conceal users. The study also found hackers could alter event logs without the owner’s knowledge.
Trending Products
