The BBC is reporting that a leading security camera maker has sent footage from inside a family’s home to the wrong person’s app. Swann Security has blamed a factory error for the data breach – which was brought to its attention by the BBC – and said it was a “one-off” incident. However, last month another customer reported a similar problem saying his version of the same app had received footage from a pub’s CCTV system.
Commenting on this, Christopher Littlejohns, EMEA manager at Synopsys, said “Effective Key Management is a fundamental practice on which authentication and cryptography is based within the Digital World. Without unique and “uncrack-able” keys we lose the ability to authoritatively identify people and things connected to the internet, or to transfer their secrets in a secure manner.
In this particular case a human error resulted in a manufacturing fault with at least two security cameras having the same key causing both cameras to be identified as the same item. The net result was that images, sound and videos were sent from one camera to the wrong user on their mobile phone. Whilst the impact of this is mostly on the vendors reputation, the same issue appearing in something like Bitcoin or other high-value item could be catastrophic – huge sums of money could be lost, confidence eroded in a service, or even State Secrets revealed to hostile governments. The latter is stretching the point a bit, but the underlying theme is that internet security is only as good as the weakest supply chain link, the generation and allocation of keys being part of that supply chain.
Issues such as this may cause significant difficulties with government regulations, for example European Union GDPR compliance. Poor key management may be considered negligent when it results in such data privacy issues, and there cannot be many things much more relevant to privacy than sending videos from your own home to the wrong person.”
Adam Brown, manager of security solutions at Synopsys, added “I personally have experience with Swann cameras – I used to have one, albeit different from the one in the report.
I found that the camera feed itself could be accessed directly from the network the camera was on, and there was some access control over that video feed – a hardcoded password as I remember – this is bad practice. If that camera was placed directly on the internet (not behind a firewall) then prying eyes could potentially see what my camera could see.
Obvious lax security controls indicate systemic failings. Without speculating on the technicalities of what went wrong here, I would surmise that the software security initiative at Swann is either lacking or could benefit from some deliberate improvement driven from management.
The camera market is catching up in cybersecurity. Leading Chinese manufacturers are integrating privacy and security into their cameras and infrastructure. Privacy and security are going to be vital for the camera industry, itself placed as a security solution.”