More than 100,000 indoor security cameras in UK homes and businesses potentially have critical security flaws which would put them at risk of hacking, a new Which? investigation has found.
If you own one of these cameras, an attacker could spy on your home, steal your data or target other devices. And even if you change the camera's password, it's still potentially at risk.
Many of these potentially vulnerable cameras are still on sale from online marketplaces such as Amazon, eBay and Wish.com, and more than 12,000 were activated in UK homes over the past three months alone.
Read on to find out if you're affected and what to do next.
Watch our video below for more information on the at-risk cameras.
In October 2019, we - often bought on Amazon as a form of cheap CCTV or a baby monitor. In March 2020, the National Cyber Security Centre (NCSC) - the government's advice and support organisation for cybersecurity threats - issued guidance on , following our previous security research.
While some cameras have since been taken off sale, many are still available and many more are already active around the world.
The majority of the cameras are in Asia, but there are more than 700,000 active across Europe, including more than 100,000 in the UK.
Due to a flaw with the design of the cameras and the software they use, a hacker could:
Changing the camera's default password is usually a solid defence against it being compromised. However, this attack can still be exploited even if the password has been changed. In effect, there's nothing you can do to protect against the flaw.
We bought five wireless cameras from Accfly, Elite Security, Genbolt, ieGeek and SV3C from Amazon (although they're also available on other online marketplaces), and working with US-based security expert Paul Marrapese, we were able to easily hack the models we purchased remotely.
In total, we believe that 47 wireless camera brands worldwide could potentially have this security flaw, including 32 brands currently or previously sold in the UK.
Brands with potentially vulnerable cameras include Alptop, Besdersec, COOAU, CPVAN, Ctronics, Dericam, Jennov, LEFTEK, Luowice, QZT and Tenvis. However, Which? believes any wireless camera that uses the CamHi app and have a certain type of Unique Identification Number (UID) could be compromised.
We have also verified the findings on a camera from a brand called PNI sold on Amazon.nl in the Netherlands, working with the Dutch consumer organisation Consumentenbond.
If you have a camera from one of these brands, it isn't necessarily vulnerable. However, if you check the mobile app you're using and it's called 'CamHi', then it potentially is.
We would advise anyone with a camera from the above brands and using the CamHi app to remove it from their network and turn it off.
We contacted HiChip, the company behind the CamHi app and manufacturer of many of the camera brands, earlier this year, but struggled to get a response. After persisting, we finally heard back from HiChip in May 2020.
HiChip is now working with Which? and Paul Marrapese to 'continue to make our cameras more safe'.
At the time of writing, Hichip had sent new camera firmware to us for verification of whether it fixes the security flaws that we have found. Follow-up tests to judge the impact of these changes are underway.
A HiChip spokesperson told us: 'HiChip has focused on IP camera R&D for more than 10 years and continues to improve the security of the cameras.
'We encrypt all the commands and data with AES128 between the camera and the APP, above the P2P transfering layer. So our cameras have very low security risk about the end user's privacy.'
The wide range of camera brands that use the CamHi app are sold online at a range of marketplaces and retailers. We contacted them for comment.
Amazon sells 23 of the potentially at risk cameras. We contacted the marketplace with our research findings, but it declined to comment.
Ebay, which has listings for 19 of the camera brands, said: 'These cameras that Which? is concerned might put users at risk are all legal to sell in the UK and comply with our existing policies. These devices can be used safely if used in a network without an internet connection, for example, as baby monitors.
'We encourage people who purchase any wireless camera product on eBay to take appropriate security precautions, in the same way they would with any smart home devices, online email or social media account.
'Sellers on eBay have to comply with any applicable law. So if the UK government introduces new regulations in this area, sellers will of course have to comply with them. Any listings on our platform that do not comply with UK regulations or that violate our policies will be removed with appropriate enforcement action taken against sellers.'
Wish.com said: 'We were alarmed to hear of reports that a small batch of surveillance cameras that use the 'CamHi' app may be vulnerable to hacking. We have alerted the sellers who currently list these items and requested they look into this as a matter of urgency before taking any appropriate remedial action.'
AliExpress said: 'AliExpress takes product safety very seriously. We have strict platform rules that require all third-party merchants to comply with all applicable local laws and regulations. We work hard to ensure that consumers are protected on our platform.'
Kate Bevan, Which? Computing editor, said: 'People may believe they are picking up a bargain wireless camera that can bring a sense of security - when in fact they could be unwittingly inviting hackers into their home or workplace.
'Anyone who has one of these cameras in their home should turn it off and stop using it immediately, while all consumers should be careful when shopping around - cheap isn't always cheerful, especially when it comes to unknown brands.
'The government must push forward with their plans for legislation to require connected devices to meet certain security standards and ensure this is backed by strong enforcement.'
If you own a camera that uses the CamHi app, our advice is to stop using it immediately and switch it off or unplug it.
And if you're shopping for a new camera, be wary of any listed that use the CamHi app. You can usually find this by doing a CTRL F search for CamHi on the product description page. Also, be wary of cameras (and any IoT devices) that use a 'peer-to-peer' (usually listed as P2P) technology. These devices are capable of automatically 'punching holes' through your home network firewall and this can allow hackers to easily access other vulnerable devices you have at home.
If you're worried about a camera from another brand that you already have in your home, it's worth considering some simple steps for peace of mind.