Thousands of people being duped by Amazon-recommended products with huge security risks, Which? finds

Amazon is putting consumers at risk by listing and recommending cameras with security flaws that leave owners exposed to hackers and snoopers, a Which? investigation has found.

The consumer champion carried out tests on six wireless cameras and found serious security flaws – despite all of them having thousands of apparently positive reviews and earning a coveted “Amazon’s Choice” recommendation, which ensures they are prominently displayed on the tech giant’s website. Many of these devices are marketed as being suitable for use as baby monitors.

Issues included weak passwords, strangers being able to remotely take control of the camera to spy into homes and unencrypted data, which could potentially allow a hacker to gain access to any of the devices connected to a home wifi network.

Which? was alerted to these problems by industry experts and concerning comments in Amazon reviews – including from one father who said he had “chills down his spine” after hearing a mysterious voice coming from a camera next to his child’s crib after it was apparently hacked.

The consumer champion initially carried out lab tests on four cameras – the Victure 1080p, Vstarcam C7837WIP, ieGeek 1080p and Sricam 720p.

It was worryingly simple to gain “root access” to the Victure 1080p – which would enable a hacker to take complete control of the camera and view footage as they pleased.

With the Vstarcam C7837WIP, the default username was set to the basic ‘admin’ and an easily guessable default password, a practice openly condemned by the government’s code of practice for consumer Internet of Things security. Researchers were able to recover the username and password for the administrator account after carrying out simple online checks. A hacker armed with this information would be able to completely control the camera’s settings.

The ieGeek 1080p and Sricam 720p cameras appeared to share an app – and a security flaw. In both cases, wifi passwords were sent unencrypted over the internet when a user entered them. This would enable an attacker to access the user’s home wi-fi network, see what users are browsing and even gain access to data – including browsing history – stored on other devices connected around the home, such as tablets, laptops and smart speakers.

Some of these cameras even had passwords and usernames written clearly on the side of the product and people frequently upload pictures of them alongside reviews. Consumers should be wary when uploading such information as this seemingly innocent action could end up inviting hackers into homes. The instruction manuals for these cameras also fail to prompt users to change passwords from the default one provided.

Which? carried out further tests with a US-based security expert who has exposed a critical security flaw that could affect more than 50,000 cameras in the UK and just under two million worldwide. If exploited, it would allow a hacker to steal personal data, breach the owner’s local internet network and even spy on their home.

The expert was able to remotely access and take control of the Elite Security, Accfly Camhi APP Outdoor Security Camera 1080P and the Vstarcam C7837WIP that had been tested in the lab. He was also able to hack into the video feed on the Elite Security camera when it was set up in the home of a Which? employee.

When Which? attempted to contact the manufacturers of these cameras to alert them to these serious security flaws, it proved impossible to trace them, even after the consumer champion enlisted the help of an industry expert based in Shenzhen, the centre of China’s tech industry.

Of the top 50 best-selling surveillance cameras on Amazon.co.uk, 32 are made by companies with limited contact details – 31 of which are registered in China – and sometimes no web presence beyond the online stores where they are sold. Which? discovered a complex and challenging web of different companies involved in producing these cameras, which are often cheaper than well-known brands.

With some, it is virtually impossible to work out who made the product and when security flaws have been flagged by customers, Amazon has not taken action to remove them.

Which? has asked Amazon to remove these products from sale and is calling on the company to systematically monitor customer feedback and investigate those cases where consumers have identified issues with security. When Which? shared its findings with Amazon the company declined to comment.

Which? has shared its research with the Department of Culture, Media and Sport (DCMS) team working on the Secure by Design code for Internet of Things products. It recently carried out a consultation exploring ways to address weaknesses in the system that are allowing connected products with security issues to make it into the homes of UK consumers.

Adam French, Consumer Rights Expert at Which?, said:

“There appears to be little to no quality control with these sub-standard products, which risk people’s security yet are being endorsed and sold on Amazon and finding their way into thousands of British homes.

“Amazon and other online marketplaces must take these cameras off sale and improve the way they scrutinise these products. They certainly should not be endorsing products that put people’s privacy at risk.

“If they refuse to take more responsibility for protecting consumers against these security-risk products then the government should look to make them more accountable.”

Which? top tips on how to stay safe

If you’re worried that a camera you already have in your home might not be secure, don’t panic. Just follow our simple tips to stay secure.

  1. Change any passwords. A common flaw with wireless cameras is that they often have weak default passwords that are simple for an attacker to work out. Check the app or camera settings to see if you can change it to a more secure password. See Which?’s password setting advice guide.

  2. Consider where the camera is placed. While a camera faced on a driveway or front door might be OK, avoid places such as a bedroom or private area, and seriously consider whether you want to use such a device to monitor a baby or young child.

  3. If in doubt, turn it off. No one wants to have to worry about someone snooping in on their home, so deactivate the camera if you’re at all concerned.

  4. Be wary when considering a purchase from a brand that you don’t recognise or can’t easily find out more about from a quick search online, and don’t be easily convinced by cheap prices or an abundance of positive customer reviews.

Notes to editors

  • Wireless cameras use ‘Internet of Things’ technology and thousands of people use them to carry out important tasks such as home security and even as baby monitors.
  • Which? worked with lab partner Context Information Security to test four of the wireless cameras.
  • Further information on US-based security expert Paul Marrapese’s work can be found here: https://hacked.camera/
  • The DCMS Code of Practice for consumer IoT security: https://www.gov.uk/government/publications/code-of-practice-for-consumer-iot-security/code-of-practice-for-consumer-iot-security
  • The Code of Practice states: ‘Many IoT devices are being sold with universal default usernames and passwords (such as ‘admin, admin’) which are expected to be changed by the consumer. This has been the source of many security issues in IoT and the practice needs to be eliminated. Best practice on passwords and other authentication methods should be followed.’
  • Video available for use: https://youtu.be/MNNeCan_13Q

Amazon RoR

Amazon declined to comment on Which?’s findings.

Press Release