Avast_Threat_ Research: We tested the security of top IP camera apps, and here’s what

[harlan4096]

Of the 10 apps that we put to the test, the apps that accompany the Blink and Wyze smart cameras proved to provide the best account security measures

Recently, our research team looked into the account security of app companions belonging to ten IP cameras. Each of these cameras have been listed on Amazon’s “hot new releases” and “best seller” categories. 

Avast IoT researcher, Marko Zbirka, looked into whether the apps that accompany smart cameras include a two-factor authentication option, send the owner a notification that someone has attempted to log in or has successfully logged in from a new device, especially if the login attempts came from a device appearing to be on the opposite side of the world, and if the length of account passwords was restricted.  

The 10 different IP cameras, all of which have cloud functionality, are as follows:

• Blink
  
• Wyze
  
• YI IOT
  
• YI Home
  
• Wansview Cloud
  
• MIPC
  
• Jawa
  
• CloudEdge
  
• Amcrest Cloud
  
• iCSee
  

The apps accompanying these cameras have all been downloaded 50,000 times or more, and four of the ten have been downloaded more than one million times. 

Checking account security

Our team’s researcher downloaded the apps used to connect and control the cameras and created accounts for them. After successfully logging in, he checked for an option to change the accounts’ password and set up two-factor authentication for the accounts. He then used a second phone with a VPN app to connect to a server abroad, so that the communication from the second device would go through that server and thus anything being sent from the device would appear to be coming from a device located abroad. 

“I intentionally attempted to log in to my own account using wrong passwords more than 10 times to see if any kind of brute force attempts would be detected by the apps. After that, I used the correct login credentials to log in to see if I received a notification about a new login from a different device and location,” said Marko Zbirka, IoT researcher at Avast. “Following this, I checked if the traffic between the app and the manufacturer’s server was encrypted. Of the ten apps I looked at, only two had what I would consider an acceptable level of account security measures.”

The two apps that provided the best basic account security out of the ten, according to Zbirka, were Blink and Wyze. The Blink app requires users to enter a one-time password to add a new device, a one-time password to change the account password, and notifies users in case of brute force attempts or when a login is made using a new device. 
...

Continue Reading