Wireless security cameras being promoted on Amazon as bestsellers and Amazon's Choice products are putting consumer privacy at risk, a Which? investigation has found.
Also marketed as baby and pet monitors, many of these cameras are mass-produced in Shenzhen, China, and appear to undergo little or no quality control before being sold in the UK.
These cameras are appealing targets for hackers and snoopers on a potentially huge scale. One analyst we worked with suggested that around 50,000 security cameras in the UK, or 2m worldwide, contain critical flaws that make it easy for anyone to gain access.
On showing our findings to Amazon and requesting that the affected cameras were removed, it declined to comment.
We found out first-hand just how easy it is to hack an insecure wireless camera.
To investigate the issue, we bought four wireless security cameras from Amazon. These cameras were easy to find on the Amazon bestseller list, promoted with Amazon's Choice logos, and contained hundreds of positive reviews. All were from brands that are little known outside online marketplaces and based in Shenzhen, China, including Vstarcam, ieGeek, Sricam and SV3C,
Our lab partner, Context Information Security, tested the cameras and found critical issues with all of them. Risks range from your private data being exposed, to a hacker being able to gain complete control of the camera and potentially seeing into your home.
When we looked at the Vstarcam C7837WIP, the default username is set to the basic 'admin' with an easily guessable password. Through basic research online, we were able to recover the username and password for the administrator account. This could allow someone to completely control your camera.
The ieGeek 1080p and Sricam 720p cameras appear to use the same app. When you input your wi-fi password it's sent unencrypted over the internet.
This could enable an attacker to access your home wi-fi network, see what you're browsing and even gain access to data stored on other devices you have connected at home, such as tablets, laptops and smart speakers.
With some cameras, an attacker can take complete control over the device.
For example, it's fairly simple to gain what's known as 'root' access to the Victure 1080p. This is a bit like having the keys to the front door of a house - a hacker would gain complete control and be able to view footage as they please.
This issue was even flagged in one customer review on Amazon for the camera in May 2019, yet nothing has been done to fix it by the manufacturer and it remains on sale.
To investigate the true scale of non-secure wireless IP cameras on sale, we worked with US security engineer Paul Marrapese. He has exposed a affecting cameras that are popular on Amazon and other retailers.
If exploited, this vulnerability could allow an attacker to easily compromise the personal data of anyone who owns one of these cameras, breach their local internet network and even spy on their home.
Based on this data, it's believed that more than 50,000 potentially vulnerable cameras are active in UK homes and businesses, with more being added each day.
Around the world there are estimated to be almost 2m vulnerable devices. Any one of these cameras could be exploited by an attacker to watch the camera picture remotely.
Below, an image illustrates the rough geographic spread of potentially vulnerable cameras worldwide based on Paul Marrapese's research.
To verify his findings, we purchased three cameras in September 2019 from Amazon and asked Paul Marrapese to hack them.
He was easily able to remotely locate the ELITE SECURITY and Accfly Camhi APP Outdoor Security Camera 1080P - both listed as Amazon Choice with hundreds of reviews - and the Vstarcam C7837wip Wireless Camera 720P, which we set up in a controlled environment.
We set up the Elite Security camera in the home of a Which? employee and it was simple to remotely hack into the video feed. The camera was placed over a baby's crib at the time.
Paul was only given one piece of information about the camera - he was not told its location or what it was filming. This piece of data is simple to discover - in fact, it is often revealed by users in their reviews on Amazon.
A wireless camera set up in the home of a Which? researcher was easy to hack.
Disturbingly, the types of cameras we found issues with are very easy to find in the UK.
Type 'wireless cameras' into Amazon and you'll get more than 50,000 results - and many of the brands, such as Victure and ieGeek, are as prominent as they are unfamiliar. The cameras are cheap, sometimes costing under £30, have hundreds or even thousands of positive reviews, and might at first glance seem like a bargain.
But who are the companies behind these devices designed to offer security and peace of mind in the home, and how established are they?
Of the top 50 bestselling surveillance cameras on Amazon.co.uk at the time of the investigation, 32 are from companies that have no web presence at all outside of online marketplaces, or very basic websites with limited contact details. With some, it's virtually impossible to work out who actually made the product.
Victure and ieGeek, two of the brands we tested with a flaw that could allow a hacker to access your home wi-fi network and gain complete control over the camera, had a dozen cameras in Amazon's top 50 and thousands of positive reviews. Both these brands have very limited contact details, which also raises the question of who to get in touch with if you have concerns.
We discovered this first-hand for ourselves. We regularly test connected products to see how well they protect your privacy and security, and when we find problems we try to work with the company to get them fixed. However, despite numerous attempts to get these vulnerabilities addressed, we had no success.
We worked with David Li, an industry expert based in Shenzhen. Using his local knowledge, David tried to reach the companies involved in making the cameras, but he was unable to bring our findings to anyone involved in making the devices.
It appears that Amazon is not monitoring potential issues flagged by customers, either.
One customer left a disturbing comment for a Victure-branded camera, bought for use as a baby monitor, saying: 'Whilst leaning over her crib a voice emanated from the device's speaker and said 'hello' in a softly spoken female voice. It sent chills down my spine.'
Many other cameras included one-star reviews from customers who claimed they had noticed potential security issues, in addition to problems around connections and general quality. Yet an overwhelming number of positive reviews can make these products seem like a very tempting purchase.
We contacted Amazon about the cameras we discovered issues with and requested that they were removed from sale.
We also called on Amazon to systematically monitor customer feedback and investigate those cases where consumers have identified issues with security.
Amazon declined to comment.
Which? has shared its research with the Department of Culture, Media and Sport (DCMS) team working on the Secure by Design code for Internet of Things products.
It recently carried out a consultation exploring ways to address weaknesses in the system that are allowing connected products with security issues to make it into the homes of UK consumers.
The Department of Culture, Media and Sport is currently consulting on whether to make it mandatory for all manufacturers selling connected products, such as wireless cameras, in the UK to have a clear and public process for dealing with security problems with their products.
Adam French, consumer rights expert at Which?, said: 'There appears to be little to no quality control with these sub-standard products, which risk people's security yet are being endorsed and sold on Amazon and finding their way into thousands of British homes.
'Amazon and other online marketplaces must take these cameras off sale and improve the way they scrutinise these products. They certainly should not be endorsing products that put people's privacy at risk.
'If they refuse to take more responsibility for protecting consumers against these security-risk products, the government should look to make them more accountable.'
If you're shopping for a wireless camera, do your research. Don't just consider price, but also look at the company. Have you heard of the brand? Does it have a reputable-looking website with a customer service team you can contact if something goes wrong?
Don't just rely on apparently positive customer reviews. These cameras tend to have hundreds of positive reviews, but always check the negative reviews too, on sites such as Amazon. See if any issues sound worrying, such as the ones we've highlighted above.
Ultimately, consider whether it's worth saving on a product that's designed to keep you or your family safe and secure.
If you're worried about a camera you already have in your home, it's worth considering some simple steps for peace of mind.
If you're keen to return an item you've purchased, advice varies depending on your situation.