Created campaign strategy
In order to organize our efforts, the Consumer Reports team strategized a campaign by doing research on reported hacking incidents in the month of December 2019, reviewed the IP camera testing report from August 2019 and assembled a list of company contacts at the 25 manufacturers of connected camera products we have reviewed.
Wrote letter to manufacturers:
In January 2020, Consumer Reports drafted and sent letters to the 25 manufacturers of connected cameras, smart doorbells, and DIY security products, since all of these products make use of cameras that collect sensitive information within and outside the home. These letters put the companies on notice that they must have reasonable cybersecurity measures in place in order for consumers to trust and use their products. Specifically, we stated:
“...Consumer Reports writes to urge your company to raise the standard of security for your connected camera, doorbell, or security system. We request clarification on the steps you are taking to prevent hacks and unauthorized access to these cameras and the systems that underlie them. We also want makers of connected devices to know that CR’s ratings will continue to change to reflect the stronger data security and privacy practices we believe are essential for consumer protection, which could impact a product’s eligibility for recommendation.”
Identified 10 security measures
The letters also urged the company to implement stronger security measures to adequately protect consumers and their privacy. These measures may include but are not limited to:
- Automatic firmware/software updates enabled by default;
- Protection against credential stuffing and reuse;
- Require multi-factor authentication and captchas in the authentication system;
- Email notifications for users when a login occurs from a new device or a new IP address;
- Require users to sign back in after changing a password;
- Confirm with the user when the credentials have been changed;
- Password creation rules that require more secure passwords;
- Compatibility with password managers;
- Increased protection against brute-force dictionary attacks by rate-limiting login attempts; and
- Inclusion of a visible indicator (e.g., a prominent LED light) when cameras are active.
Engaged manufacturers with product improvements
Of the 25 companies contacted, seven never responded to our letters or repeated emails, one responded by telling us about their privacy and security initiatives (but did not detail what security measures they implement or plan to implement), and one responded via a physical letter sent to our DC offices.
We tested these cameras in 2019. From December 2019 - January 2020, we conducted a campaign to send out the letters to company CEOs, revisited our testing of the cameras, and then rescored them, which revealed new security vulnerabilities. We responsibly interacted with manufacturers to disclose these issues. Some of the results of the security and privacy tests resulted in an article: Wyze and Guardzilla Security Cameras Have Security Risks, Consumer Reports Finds.
Designed a Consumer Reports ratings page warning
In order to publicize this effort, we posted a press release. In addition, we created a notice (image below) to place above our ratings pages to warn consumers about the security issues in these products.
Offered other helpful resources: Article highlighting best security cameras:
Based on these ratings, we published an article that highlighted How to Use Ring's Control Center for Better Privacy and Security, the Best Wireless Home Security Cameras of 2020, and CR’s Home Security Camera Ratings & Buying Guide. In addition to these resources, we held a conference call presentation with the companies with the goal of informing them about what we heard back from companies and how we are giving greater weight to automatic security updates and requiring two-factor authentication.