The cheap security cameras inviting hackers into your home

Wireless security cameras being promoted on Amazon as bestsellers and Amazon's Choice products are putting consumer privacy at risk, a Which? investigation has found.

Also marketed as baby and pet monitors, many of these cameras are mass-produced in Shenzhen, China, and appear to undergo little or no quality control before being sold in the UK.

These cameras are appealing targets for hackers and snoopers on a potentially huge scale. One analyst we worked with suggested that around 50,000 security cameras in the UK, or 2m worldwide, contain critical flaws that make it easy for anyone to gain access.

On showing our findings to Amazon and requesting that the affected cameras were removed, it declined to comment.

Browse the best security cameras to make it through our rigorous testing.

Tech tips you can trust-get our free Tech newsletter for advice, news, deals and stuff the manuals don't tell you.

Video: wireless cameras with critical flaws

We found out first-hand just how easy it is to hack an insecure wireless camera.

Security issues with popular cameras on Amazon

To investigate the issue, we bought four wireless security cameras from Amazon. These cameras were easy to find on the Amazon bestseller list, promoted with Amazon's Choice logos, and contained hundreds of positive reviews. All were from brands that are little known outside online marketplaces and based in Shenzhen, China, including Vstarcam, ieGeek, Sricam and SV3C,

Our lab partner, Context Information Security, tested the cameras and found critical issues with all of them. Risks range from your private data being exposed, to a hacker being able to gain complete control of the camera and potentially seeing into your home.

Weak passwords

When we looked at the Vstarcam C7837WIP, the default username is set to the basic 'admin' with an easily guessable password. Through basic research online, we were able to recover the username and password for the administrator account. This could allow someone to completely control your camera.

Unencrypted data

The ieGeek 1080p and Sricam 720p cameras appear to use the same app. When you input your wi-fi password it's sent unencrypted over the internet.

This could enable an attacker to access your home wi-fi network, see what you're browsing and even gain access to data stored on other devices you have connected at home, such as tablets, laptops and smart speakers.

Full camera takeover

With some cameras, an attacker can take complete control over the device.

For example, it's fairly simple to gain what's known as 'root' access to the Victure 1080p. This is a bit like having the keys to the front door of a house - a hacker would gain complete control and be able to view footage as they please.

This issue was even flagged in one customer review on Amazon for the camera in May 2019, yet nothing has been done to fix it by the manufacturer and it remains on sale.

Critical security flaws across the UK

To investigate the true scale of non-secure wireless IP cameras on sale, we worked with US security engineer Paul Marrapese. He has exposed a critical security flaw affecting cameras that are popular on Amazon and other retailers.

If exploited, this vulnerability could allow an attacker to easily compromise the personal data of anyone who owns one of these cameras, breach their local internet network and even spy on their home.

Based on this data, it's believed that more than 50,000 potentially vulnerable cameras are active in UK homes and businesses, with more being added each day.

Around the world there are estimated to be almost 2m vulnerable devices. Any one of these cameras could be exploited by an attacker to watch the camera picture remotely.

Below, an image illustrates the rough geographic spread of potentially vulnerable cameras worldwide based on Paul Marrapese's research. 

To verify his findings, we purchased three cameras in September 2019 from Amazon and asked Paul Marrapese to hack them.

He was easily able to remotely locate the ELITE SECURITY and Accfly Camhi APP Outdoor Security Camera 1080P - both listed as Amazon Choice with hundreds of reviews - and the Vstarcam C7837wip Wireless Camera 720P, which we set up in a controlled environment.

We set up the Elite Security camera in the home of a Which? employee and it was simple to remotely hack into the video feed. The camera was placed over a baby's crib at the time.

Paul was only given one piece of information about the camera - he was not told its location or what it was filming. This piece of data is simple to discover - in fact, it is often revealed by users in their reviews on Amazon.

We test and rate baby monitors on the strength of their privacy and security. Read our baby monitor reviews for more.

A wireless camera set up in the home of a Which? researcher was easy to hack.

An influx of 'unknown' brands on Amazon

Disturbingly, the types of cameras we found issues with are very easy to find in the UK.

Type 'wireless cameras' into Amazon and you'll get more than 50,000 results - and many of the brands, such as Victure and ieGeek, are as prominent as they are unfamiliar. The cameras are cheap, sometimes costing under £30, have hundreds or even thousands of positive reviews, and might at first glance seem like a bargain.

But who are the companies behind these devices designed to offer security and peace of mind in the home, and how established are they?

Of the top 50 bestselling surveillance cameras on Amazon.co.uk at the time of the investigation, 32 are from companies that have no web presence at all outside of online marketplaces, or very basic websites with limited contact details. With some, it's virtually impossible to work out who actually made the product.

Victure and ieGeek, two of the brands we tested with a flaw that could allow a hacker to access your home wi-fi network and gain complete control over the camera, had a dozen cameras in Amazon's top 50 and thousands of positive reviews. Both these brands have very limited contact details, which also raises the question of who to get in touch with if you have concerns.

We discovered this first-hand for ourselves. We regularly test connected products to see how well they protect your privacy and security, and when we find problems we try to work with the company to get them fixed. However, despite numerous attempts to get these vulnerabilities addressed, we had no success.

We worked with David Li, an industry expert based in Shenzhen. Using his local knowledge, David tried to reach the companies involved in making the cameras, but he was unable to bring our findings to anyone involved in making the devices.

Amazon customer reviews highlight issues

It appears that Amazon is not monitoring potential issues flagged by customers, either.

One customer left a disturbing comment for a Victure-branded camera, bought for use as a baby monitor, saying: 'Whilst leaning over her crib a voice emanated from the device's speaker and said 'hello' in a softly spoken female voice. It sent chills down my spine.' 

Many other cameras included one-star reviews from customers who claimed they had noticed potential security issues, in addition to problems around connections and general quality. Yet an overwhelming number of positive reviews can make these products seem like a very tempting purchase.

Will Amazon take action?

We contacted Amazon about the cameras we discovered issues with and requested that they were removed from sale.

We also called on Amazon to systematically monitor customer feedback and investigate those cases where consumers have identified issues with security.

Amazon declined to comment.

Exposing the issues with unsafe 'smart products' in the UK

Which? has shared its research with the Department of Culture, Media and Sport (DCMS) team working on the Secure by Design code for Internet of Things products.

It recently carried out a consultation exploring ways to address weaknesses in the system that are allowing connected products with security issues to make it into the homes of UK consumers.

The Department of Culture, Media and Sport is currently consulting on whether to make it mandatory for all manufacturers selling connected products, such as wireless cameras, in the UK to have a clear and public process for dealing with security problems with their products.

Adam French, consumer rights expert at Which?, said: 'There appears to be little to no quality control with these sub-standard products, which risk people's security yet are being endorsed and sold on Amazon and finding their way into thousands of British homes.

'Amazon and other online marketplaces must take these cameras off sale and improve the way they scrutinise these products. They certainly should not be endorsing products that put people's privacy at risk.

'If they refuse to take more responsibility for protecting consumers against these security-risk products, the government should look to make them more accountable.' 

How to use a wireless camera and stay safe

If you're shopping for a wireless camera, do your research. Don't just consider price, but also look at the company. Have you heard of the brand? Does it have a reputable-looking website with a customer service team you can contact if something goes wrong?

Don't just rely on apparently positive customer reviews. These cameras tend to have hundreds of positive reviews, but always check the negative reviews too, on sites such as Amazon. See if any issues sound worrying, such as the ones we've highlighted above.

Ultimately, consider whether it's worth saving on a product that's designed to keep you or your family safe and secure.

If you're worried about a camera you already have in your home, it's worth considering some simple steps for peace of mind.

• Change any passwords. A common flaw with wireless cameras is that they have weak default passwords that are simple for an attacker to work out. Check the app or camera settings to see if you can change it to a more secure password.
• If you decide to review your camera online, be careful uploading pictures. Some of these cameras have passwords and usernames written clearly on the side of the product.
• If in doubt, unplug it or turn it off. No one wants to have to worry about someone snooping in on their home, so deactivate the camera if you're at all concerned.

Can I return a purchase for a refund if I think it's insecure?

If you're keen to return an item you've purchased, advice varies depending on your situation.

• If you've bought it online recently, you could return the item for a refund. If you bought it in-store, check you're in the returns window.
• If it has developed a fault, read our guide on what to do if you have a faulty product.
• If you're outside the standard returns period, your item hasn't developed a fault but you're still concerned, it may still be possible to claim a refund under the Consumer Rights Act 2015. While it hasn't been legally determined by the courts that products with the potential to be hacked due to inherent security flaws are faulty goods, we believe they should be regarded as such and we encourage you to make a claim. Complain to the retailer to say that you've discovered it's insecure and name the source of this belief (eg a Which? or other press article).