Main points
- Data breaches like Wyze’s are caused by third-party issues, not user error.
- Use best practices like unique passwords and 2FA to protect smart cameras.
- Privacy features can be controlled remotely.
Last month, when Wyze cameras came back on after a power outage, about 13,000 users received thumbnails of footage from other people’s homes. This isn’t the first time the company known for its affordable security cameras has apologized for privacy violations, nor is it the first time an error has resulted in users seeing camera footage that doesn’t belong to them.
Wyze isn’t the only company making headline-grabbing mistakes. From an Amazon employee who accessed female users’ videos to an ADT employee who admitted breaking into more than 200 accounts, privacy breaches are a real risk to smart home cameras. But is there anything a smart home can do to continue to support features like motion-activated lights, package notifications, and security alarms? Or does the latest scandal suggest the best approach is to throw away smart cameras altogether?
In Wyze’s latest security breach, data was not accessed via a wrong password or even by a sophisticated hacker.
While smart homes can leverage some best practices to better protect data, even the strictest privacy practices may not prevent privacy breaches. In Wyze’s latest security breach, data was not accessed via a wrong password or even by a sophisticated hacker. According to the company, a third-party caching library obfuscates device IDs and user IDs, sending incorrect data to accounts.
Is it time to ditch your smart camera?
Users themselves cannot prevent Wyze breaches. Dr. TJ OConnor, chair of Florida Institute of Technology’s cybersecurity program and co-author of several IoT security studies, explained to us that while the connection to the cloud server is encrypted, the files themselves are not.
As consumers, we have little idea how and where our videos are stored. All content is stored in the cloud on content delivery network servers.
This is a fairly common approach, he said, as the “encryption at rest” option can cause performance and usability issues. Below Dr. O’Connor clearly explains to us the ins and outs:
The Wyze issue is a bigger problem for security camera vendors. As consumers, we have little idea how and where our videos are stored. All content is stored in the cloud on content delivery network servers. In Wyze’s case, they appear to store unencrypted video clips and thumbnails on AWS content delivery servers. Failure to encrypt data is the fundamental problem here. This could allow a malicious insider to view the video. Or, as in the case here, a technical glitch could inadvertently expose our unencrypted videos to other consumers.
In a study O’Connor co-authored last year, researchers speculated that the demand for cheap smart cameras has created many seriously unsafe devices. Researchers found that all five security cameras under $100 studied by Kangaroo, NightOwl, and Geeni had insufficient security software, including a lack of encryption.
Is it time to ditch your smart camera? For the most privacy-conscious, the answer is probably yes—after all, only Wyze can stop the latest breach, not the end user. However, since cameras have become an integral part of many smart home devices, including robot vacuums and smart refrigerators, going camera-free isn’t for everyone.
In fact, after all his research into IoT security vulnerabilities, O’Connor himself still outfitted his residence with doorbell cameras, voice assistants, and other smart devices. While he emphasized that security cannot be guaranteed, utilizing best practices such as separate wireless networks and strong passwords can prevent some potential breaches.
Best smart security cameras: Top models from Ring, Arlo, and Nest
The best smart security cameras use 3D motion alerts, night vision, and even Alexa integration to monitor the interior and exterior of your home.
For Wyze users, past breaches may be too much for some customers to continue using the brand. However, O’Connor noted that Wyze self-reported the latest breach rather than trying to hide or deny the bug, and when he discovered potential issues during his previous research in 2019, the company implemented multiple changes, including a bug bounty plan.
No smart camera can guarantee privacy, as anything in cloud storage is potentially vulnerable, but implementing some best practices can prevent certain types of illegal access.
Never place security cameras in private rooms
The first rule of thumb when equipping your smart home with any camera-equipped device is to keep these gadgets away from personal spaces. For example, in the FTC complaint against Ring, an employee obtained videos of female users through cameras named after spaces such as bedrooms and bathrooms. If you absolutely must have a smart assistant as an alarm clock or need to use a smart speaker in the shower, choose a model without a built-in camera.
If you absolutely must have a smart assistant as an alarm clock or need to use a smart speaker in the shower, choose a model without a built-in camera.
Of course, it’s not always possible to keep the camera out of the bedroom with a video baby monitor. If you decide that the privacy risk is worth the peace of mind of seeing and hearing your child, position the camera so that only the sleeping area is visible, and any changing areas will not appear in the shot.
Disable indoor cameras when you’re home
Most cameras designed as security or pet cameras are no longer needed once you get home – in which case it might be a good idea to disable the camera while you’re home. If quitting an app every time you get home sounds like a hassle, in many cases you can ask a voice assistant like Alexa to disarm your smart camera.
Geofencing can automatically arm and disarm these cameras, but this comes with its own privacy risks. Using your smartphone’s location, geofencing automatically turns off your cameras when you arrive home. As well as eliminating the annoyance of receiving notifications when you walk in front of your own camera, this feature also means less video of yourself, potentially leading to a privacy breach.
O’Connor recommends keeping all sharing permissions to a minimum, which means turning off geofencing capabilities.
However, this is a double-edged sword. Geofencing requirements allow smart home apps to access your smartphone’s location at all times, which at best means you’ll likely see more targeted location-based ads. O’Connor recommends keeping all sharing permissions to a minimum, which means turning off geofencing capabilities.
Understand that many privacy features can be disabled remotely.
Any privacy features you can control through your smart home app can be disabled by a hacker. Smart home users should keep this in mind when setting up any camera-equipped device. For example, if someone manages to access your account, they can turn off geofencing.
For example, in O’Connor’s 2023 study on the security risks of cheap cameras, researchers found that the privacy mode on the Kangaroo Privacy Camera, which blurs the lens view by activating the LCD lens, had a firmware vulnerability that could allow privacy features to be manipulated.
Physical privacy features, such as the camera covers on many Alexa Show models, are harder to manipulate by bad actors. Only a person physically present may remove the physical privacy cover.
Use unique and complex passwords
When setting up a smart home system, never reuse existing passwords for other accounts. Use complex passwords – a series of randomly generated letters and numbers that are harder to crack than passwords that use common words or easy-to-remember numbers such as birthdays and addresses. A password manager makes it easier for you to create unique and complex passwords for all your online accounts.
Always use multi-factor authentication
Always turn on two-factor authentication for smart home devices. If someone tries to access your account, in most cases you will be notified and can block access and then change your password.
What is two-factor authentication and why should you use it?And how to enable Apple, Google, etc.
How to enable two-factor authentication on all your favorite devices and services
Use isolated wireless access points for all IoT devices
OConnor recommends using separate wireless access points for any smart home devices. Partitioning your Wi-Fi network (such as creating VLANs or splitting your router into 2.5Hz and 5Hz networks) allows your smart devices to use separate W-Fi passwords. This is especially important if you provide your guests with commonly used Wi-Fi passwords.
Limit sharing permissions
Smart home devices pose risks beyond just camera information falling into the wrong hands. O’Connor recommends limiting your smart home apps to the minimum permissions required. For example, restrict access to location services.
Using cloud-connected smart cameras always carries a level of risk. However, by using best practices like strong passwords and separate Wi-Fi networks, you can reduce the chances of your videos showing up in front of the wrong eyeballs.
FAQ
Q: Can smart cameras be hacked?
Any cloud-connected device presents potential privacy risks, including smart cameras. While best practices like strong passwords, separate Wi-Fi networks, and two-factor authentication will help prevent many types of hackers, no smart camera is 100% immune. Therefore, smart cameras should never be placed in private rooms.
Q: Can you tell if your security cameras have been hacked?
Several studies have uncovered potential weaknesses that could prevent users from realizing their data has been compromised. A 2021 study from Florida Institute of Technology examined 20 popular smart home devices and found that security vulnerabilities could hide from users. Research also found that hackers can alter event logs without the owner’s knowledge.