The world of smart home technology has developed quickly and for the most part, it’s an exciting and positive change. Being able to control your smart home with ease, whilst checking in on video feeds when you’re out and about (or simply in another part of the house) has never been easier.
It’s fun, convenient and safe. Right?
Right?! Well, any device which is connected to the internet can theoretically be attacked – or hacked. Heck, back in 2015 it was shown how Samsung smart refrigerators could be hacked and linked Gmail account details could be stolen.
You’ve then got websites like Insecam and Opentopia that find webcams that are accessible via the internet and allow you to view their video feed. Fancy watching 743 different video feeds from Italy (well, 743 at the time of writing – there’ll probably be more added by the time you’re reading this article)?
Yeah, so the world is a bit scary at times and it’s therefore normal to wonder whether your smart camera is unsafe and can be hacked? Well, generally speaking…
Smart cameras produced by the big names in the field – Ring, Wyze, Eufy and Google Nest – are generally built with security in mind and haven’t suffered from any widespread, device-level hacks. Wyze did suffer a data breach in 2019, but it didn’t include passwords so no smart cam hacks have been tied to this breach.
Smart cameras are usually either plugged into a wall socket, or they have a battery which can be recharged every so often.
They typically connect to your home’s network via WiFi, and they send any recorded video clips up to a cloud server. This then allows you to view these video clips via your smartphone app.
Recordings are usually made by smart cameras when motion is detected, but you can also ‘drop in’ on the video feed and view it in real time from your app or a computer.
For example, my pictured Ring Indoor Camera plugs into a wall socket and it uses 2.4 GHz WiFi to connect to my router. When motion is detected, it’ll start recording and relay this video footage up to Ring’s servers in ‘the cloud’. It’ll then notify me of this motion, allowing me to view the footage straight away – or a month or two later instead, if I’d prefer.
This is therefore very convenient because it allows me to check in on my property when I’m out, and since it records when motion is detected, it can record suspicious activity or attempted burglaries – and it’ll save these clips for my viewing later, or it’ll allow me to pass this onto law enforcement if requirement.
But one big downside of all this convenience is that anything internet based can potentially be hacked, allowing others to view my footage in the worst case.
The thought that your smart camera could be hacked, allowing some random hacker the ability to view the video feeds from your cameras is massively concerning. Whilst it’s not nice to think about, it’s worth “knowing the enemy” and so I wanted to mention the three main ways that smart cameras ‘get hacked’:
- The main route nowadays seems to be credential stuffing. This is where people use the same email address and password on multiple websites – a big security no-no, but it’s very convenient to do hence many people do this.
The big downside of this is that if just one website gets hacked, your email address and password is known to hackers. They can then use this to check other websites you might use – including your bank, shopping accounts, and potentially your smart camera sites.
You can use HaveIBeenPwned to see if your details may have been compromised. One of my email addresses has actually been involved in 12 data breaches, which is scary but thankfully I use unique passwords for all websites. and none of the hacked sites are ones that I use regularly or rely on.
But if I did use the same password on all my websites (including for my Ring account), hackers could then use these data breaches to login to my Ring account – and view all my video feeds. Scary thought!
- A security flaw may be detected on the smart camera itself. This is fairly rare thankfully, but it’s where part of a smart camera is poorly designed which could allow a hacked to remotely access or control it, thereby giving them access to your video feeds.
There haven’t been any reports of this from Wyze, Eufy, Ring or Nest Cameras, but it’s certainly happened with more budget cameras – usually ones from China. A scary Amazon review for a ‘Yi’ WiFi camera also said that their device was hacked multiple times.
- Finally, a company could have a data breach or one of their employee’s computers could be compromised (for example from a virus). This will then give hackers a massive ‘window of attack’ as they are essentially behind the scenes at the smart company who control your smart cameras.
As I discuss later, Wyze Cam did have a data breach in 2019 although thankfully this wasn’t a breach which allowed hackers to view people’s smart cameras.
Having a smart camera be hacked would obviously be a terrifying experience, but ‘thankfully’ (thankfully seems like the wrong word!) there are a few signs that you can watch out for which can help you detect a smart camera hack, allowing you to immediately stop the hack and protect your account.
Firstly if you’re like me, you’ve probably become fed up in recent years with signing into a website, and then receiving emails, SMS messages and phone notifications tell you that you signed in. My wife and I often say “Yes I know that I just signed in, I get the message – now go away“!
But in reality, these notifications are really important because if a hacker has just logged into one of your accounts, you’ll immediately know about it and can take action. An example notification is Ring’s login-in notification email:
Other things to watch out for – which could indicate a hacked smart camera – include:
- If the recording LED light is on. For example, Nest cameras pulse green slowly when someone is watching the live stream. Ring cameras show a solid blue LED when it’s in recording mode. Hence if this is on on your smart camera but you know that no-one in the house is watching it (and that it shouldn’t be recording), there’s a chance – even a small one – that someone who shouldn’t be is viewing the stream.
- If the smart camera is moving around. Some smart cameras (such as the Eufy Indoor pan & tilt camera) can be moved around when viewing the live feed, or they do this to track motion. So if the camera is moving, this again is a sign that someone is watching the live feed (or it’s recording).
Whilst this could be harmless, it could also indicate someone else watching the stream – so be sure to ask around your house to see if anyone else is watching the camera.
- Be alert to any strange noises. A widely publicized – and scary – article – hit the internet at the end of 2019, after someone’s nursery Ring camera was hacked and the hacker was using it to speak to their 8 year old daughter. This ‘hack’ was due to credential stuffing (as I discussed earlier), but it’s nonetheless very creepy as a positive feature of smart cameras (two way talk is possible) became a big negative.
- You could enable two factor authentication with Ring, Nest and Wyze (but not yet Eufy), meaning that when someone tries to log into your account, you’ll receive a confirmation email with a verification code.
This is a useful feature to activate, because you’ll receive an email if anyone else tries accessing your account – and they won’t be able to access it without the verification code.
Before covering how to protect your smart camera from hacking attempts, I wanted to cover reported hacks to Ring, Nest, Eufy and WyzeCam over the years:
- Ring seemed to suffer a data breach at the end of 2019, when thousands of customer’s email addresses and passwords were leaked onto the dark web.
Ring did later deny this leak, saying “Ring has not had a data breach. Our security team has investigated these incidents, and we have no evidence of an unauthorized intrusion or compromise of Ring’s systems or network.“, but a similar data leak was dumped on the dark web (again apparently from Ring) a few days prior, so the signs point to a Ring data leak – even if they have denied this, and instead say it’s just collated data from credential stuffing.
- All four companies have had some reports of ‘my smart camera was hacked!!’, and these always make for interesting (and scary!) reading so journalists always report on these cases (such as the 8 year old girl’s camera I reported on earlier).
However all such cases appear to be caused by credential stuffing – i.e. someone reusing the same username and password with their smart camera account, and then not enabling two-factor authentication, meaning that their smart accounts are very much at risk from ‘hacking’.
- WyzeCam suffered a data breach at the end of 2019, which they openly confirmed and explained, and took a range of steps to address this and improve their systems so that it (hopefully) wouldn’t happen again.
Whilst no customer accounts were compromised, they did proactively reset certain authentication tokens and contact affected customers as their email addresses (and some other data) were leaked.
There are a few key steps that you should take which will protect not just your smart camera, but your other online accounts too:
- Only use unique, secure passwords on each of your websites. You can use a password manager like 1Password to keep track of all your passwords (and login more easily to websites too – bonus!).
Passwords shouldn’t be guessable either, i.e. don’t choose “RingSmartCam01” for your Ring account password! If you use a password manager, use their ‘generate password’ feature.
- Check HaveIBeenPwned to see if your username/email address has been involved in any hacks. If it has, you could be susceptible to credential stuffing attacks so be sure to change any passwords that you may have used on other websites too.
- Don’t buy a budget smart camera. I know that people’s money isn’t finite, but there’s been many more reports of smart camera hacking when the camera is from a little-known brand, usually from a Chinese company and manufacturer.
As a general rule, if you see a great deal on a smart camera on Amazon, Google the camera’s make. If they have a detailed, professional website and other people online are speaking about the make (e.g. on Reddit) then maybe they’re worth purchasing.
But if the Supertan Smart Camera 100 for $9.99 (a camera I just made-up, by the way!) isn’t mentioned anywhere online, it’s possible a low quality camera which could be more likely to get hacked.
- Enable two-factor authentication on your account. As mentioned earlier, Ring, Nest and Wyze all support two-factor auth which means that you’ll get an email or notification when someone tries logging into your account, and you need to accept this (e.g. by entering a code in an email) before the logon succeeds). If your password has been leaked online, two-factor auth will stop hackers from logging into your account.
- Be sure to keep the camera’s firmware up to date. Each smart camera manufacturer has a different process for this (and it can vary per camera model), so be sure to Google around for your specific camera make(s). But the gist here is that out-of-date firmware could contain security flaws, and so keeping your smart cam up to date is paramount.
With all this said, any device which is exposed to the internet (i.e. the majority of smart devices!) can potentially be hacked. Whilst you can mitigate this risk as per the advice above, you can never completely elimiate the risk.
The only real solution to this problem is to get an offline camera – such as a CCTV or DVR camera which only records locally. I personally am happy to use online-based smart cameras and just do my best to keep them secure, but your mileage may vary.