Sensitive Data Collection

Connected devices such as cameras are increasingly being used in the private sphere of the home and collect highly sensitive information including voice and visual recordings of the home and the area immediately around a private residence. However, as multiple reports of connected camera hacking and incidents of unauthorized access have shown, many of these products are built without adequate security.

Exposure of account credentials

There were a series of hacks and vulnerabilities that have affected Ring security cameras and video doorbells, exposing account credentials. Reports surfaced of multiple Ring accounts being hacked through credential stuffing. Back in November 2019, it was revealed that Ring video doorbells contained a vulnerability that exposed WiFi network names and passwords. And last May, The Information reported a vulnerability that let individuals stay logged into Ring accounts even after a password change. At the end of December 2019, it was also reported that Wyze had suffered a breach of their customer data, leaving customers open to unauthorized access of their cameras.

Security breaches:

Attackers have openly viewed home security systems and baby monitor feeds, and have even spoken with residents, including young children. In December 2019, Consumer Reports reported on a series of security breaches. The news mainly on Amazon Ring products, where hackers compromised devices, harassed homeowners and sometimes children. While much news coverage was focused on Ring, it was possible that other popular connected camera brands could have similar vulnerabilities. 

These issues don’t just plague Ring devices either. In January 2020, there were reports of Nest cameras being hacked, again through credential stuffing. In response to the number of hacks and vulnerabilities, Consumer Reports initiated product testing across 14 connected camera products.

[Excerpts gathered from CR Article: 3,000 Ring Doorbell and Camera Accounts May Be Vulnerable to Hackers and this advocacy letter to connected camera companies]

Created campaign strategy 

In order to organize our efforts, the Consumer Reports team strategized a campaign by doing research on reported hacking incidents in the month of December 2019, reviewed the IP camera testing report from August 2019 and assembled a list of company contacts at the 25 manufacturers of connected camera products we have reviewed. 

Wrote letter to manufacturers:

In January 2020, Consumer Reports drafted and sent letters to the 25 manufacturers of connected cameras, smart doorbells, and DIY security products, since all of these products make use of cameras that collect sensitive information within and outside the home.  These letters put the companies on notice that they must have reasonable cybersecurity measures in place in order for consumers to trust and use their products. Specifically, we stated: 

“...Consumer Reports writes to urge your company to raise the standard of security for your connected camera, doorbell, or security system. We request clarification on the steps you are taking to prevent hacks and unauthorized access to these cameras and the systems that underlie them. We also want makers of connected devices to know that CR’s ratings will continue to change to reflect the stronger data security and privacy practices we believe are essential for consumer protection, which could impact a product’s eligibility for recommendation.”

Identified 10 security measures

The letters also urged the company to implement stronger security measures to adequately protect consumers and their privacy. These measures may include but are not limited to:

1. Automatic firmware/software updates enabled by default;
2. Protection against credential stuffing and reuse;
3. Require multi-factor authentication and captchas in the authentication system;
4. Email notifications for users when a login occurs from a new device or a new IP address; 
5. Require users to sign back in after changing a password; 
6. Confirm with the user when the credentials have been changed;
7. Password creation rules that require more secure passwords;
8. Compatibility with password managers;
9. Increased protection against brute-force dictionary attacks by rate-limiting login attempts; and 
10. Inclusion of a visible indicator (e.g., a prominent LED light) when cameras are active.

Engaged manufacturers with product improvements

Of the 25 companies contacted, seven never responded to our letters or repeated emails, one responded by telling us about their privacy and security initiatives (but did not detail what security measures they implement or plan to implement), and one responded via a physical letter sent to our DC offices.

Discovered vulnerabilities

We tested these cameras in 2019. From December 2019 - January 2020, we conducted a campaign to send out the letters to company CEOs, revisited our testing of the cameras, and then rescored them, which revealed new security vulnerabilities. We responsibly interacted with manufacturers to disclose these issues. Some of the results of the security and privacy tests resulted in an article: Wyze and Guardzilla Security Cameras Have Security Risks, Consumer Reports Finds. 

Designed a Consumer Reports ratings page warning

In order to publicize this effort, we posted a press release. In addition, we created a notice (image below) to place above our ratings pages to warn consumers about the security issues in these products.

Offered other helpful resources: Article highlighting best security cameras:

Based on these ratings, we published an article that highlighted How to Use Ring's Control Center for Better Privacy and Security, the Best Wireless Home Security Cameras of 2020, and CR’s Home Security Camera Ratings & Buying Guide. In addition to these resources, we held a conference call presentation with the companies with the goal of informing them about what we heard back from companies and how we are giving greater weight to automatic security updates and requiring two-factor authentication.