Which? That smart home camera? The one with the vulns? Really?
Security experts confounded by consumer org's assessment
Which? Magazine has been called out for recommending a line of smart home cameras with known vulnerabilities.
The Consumers' Association magazine has worked hard to build trust in its consumer-focused product reviews. The fact that the Samsung SmartCam SNH-P-6410 smart home security camera still has Which's "Best Buy" recommendation stamp, however, has surprised security experts. The camera has security flaws involving video feed compromise.
The Which? review of home security cameras judged the devices on multiple criteria including functionality, ease of use and value for money as well as privacy.
Which? noted that there were "some privacy concerns" with the "expensive" Samsung SmartCam while continuing to list the device as its top pick.
Security experts at Pen Test Partners reacted to this assessment with incredulity. "Which? Magazine have recommended a smart camera that allows their readers to be spied on," said Pen Test Partners' Ken Munro.
Munro faulted Which? for not seemingly not reviewing published research on flaws with the camera in reaching its assessment, which seemed to weight its support for encrypted communication very heavily while apparently neglecting other security problems with the device.
Takeover vulnerabilities were found in this camera in 2014, predating the 2016 Which? review. They were still present until recently. In August 2016, command injection vulnerabilities were uncovered. More recently, in April 2018, Kaspersky published a report into the security of the SmartCam SNH-P-6410 that described it as "riddled with bugs".
This is in addition to other problems Pen Test Partners itself has found with the Samsung-branded device.
"We've tested this Samsung SmartCam camera several times for various different organisations, going back to 2016," Munro explained. "Obviously, client engagements are covered by non-disclosure agreements, however we worked with each client to report the findings responsibly to Samsung (Hanwha Techwin is the actual manufacturer) for remediation to be carried out.
"So, we knew about the issues but had to remain silent for contractual reasons."
Which? either didn't know about or placed little weight on multiple security criticisms of the Samsung SmartCam SNH-P-6410 while slamming the Hive for comparatively less serious problems, further irritating Munro.
"What made this even worse was that Which? made a big deal of a single plain text request from the Hive smart camera – this wasn't ideal, but to exploit it would require first compromising the users Wi-Fi network [and] even then the only data exposed was the users email address," Munro explained.
"Yet, they made a 'Best Buy' recommendation for a camera whose video feed could be accessed by anyone, among [other] numerous security flaws."
Unresolved flaws in the Samsung SmartCam SNH-P-6410 make it either a nosy neighbour or local stalker, according to Munro.
"The cameras are still vulnerable to a de-authentication and evil twin attack. Hence, anyone in Wi-Fi range can access the user's video feeds," he warns, adding that the locations of vulnerable devices might easily be uncovered using the wigle.net Wardriving database.
"The cameras also have terrible local network security, so if one cracks the users Wi-Fi PSK [pre-shared key] or has local access, it’s possible to completely compromise the camera. Command injection, total pwnage.
"Which? either need to significantly upgrade the depth of security testing, or stop making recommendations in the consumer IoT space."
All the magazine had to do was Google and they'd have seen that the device exhibited a number of security problems, Munro told El Reg. All they appeared to have done was a cursory check on the mobile app.
"I don't even think they tested the mobile app thoroughly – as far as I can make out they were just looking for unencrypted comms. That would explain why they found the minor issue in the Hive, but missed the glaring hole in the Samsung.
"Their methodology is screwed – they state that the presence of encryption makes the data secure."
El Reg asked Which? to comment on PTP's criticisms. In response the well-respected magazine highlighted the caveat it had made to its endorsement without commenting on the product's various vulnerabilities. It confirmed its recommendation was made on the basis of more detailed reviews carried out two years ago.
Which? found a minor privacy concern with this device at the time of testing more than two years ago and this is clearly stated in the review. Our rigorous testing programme is constantly evolving to take into account changes in the tech security landscape and to ensure our members have access to the impartial advice they need to inform them when they make a purchase.
Which? works tirelessly with tech companies, security experts and the Government to push for improvements in the connected tech sector – including playing a key role in guidance to make products secure by design, which will help improve security on smart devices for millions of consumers.
Pen Test Partners has an extensive portfolio of work assessing the security of IoT devices under its belt – including research into everything from smart kettles to maritime shipping. That work has included research into smart home security cameras. For example, PTP researchers recently uncovered flaws in Swann and FLIR cameras so serious the devices could be turned against their owners and used to spy on them in their own homes. ®