As technology gets smaller and cheaper, more people are choosing to equip their homes with wireless security cameras. But an NBC Bay Area Investigation found that many of these devices contain a security loophole that could allow strangers to peek into your privacy, whether they want to or not.
NBC Bay Area’s Investigative Unit tested several popular wireless security cameras and discovered that some customers who return their used cameras have the ability to see and hear the camera’s new owner. To prevent this, retailers are supposed to reset used cameras to their factory settings or send them back to the manufacturer to reset. However, our tests found that those security measures don’t always happen.
The Investigative Unit first learned about this privacy concern after San Francisco resident Kevin Schuh returned a Canary camera he purchased from Amazon. About a month later, Schuh received an email that the camera detected motion, and his inbox filled up with video clips showing a woman alone in her home.
“I could see her living room, dining room, kitchen, everything,” Schuh told NBC Bay Area. “This is totally disturbing and not right, and she’s totally oblivious.”
Throughout the day, Schuh continued to receive video clips ranging from 20 seconds to 6 minutes in length.
“Totally creepy this could have been my sister could have been my mom we need to tell people about this,” Schuh said. “I assumed she would press a button and it would reset, and I would be cut off.”
With no way to communicate with the camera’s new owner, Schuh contacted Canary to deactivate his cloud account. But according to Schuh, a representative told him there was no way for Canary to disconnect his account.
“I had to go through all these hoops to disconnect the camera myself,” Schuh said. “After that, I couldn’t see her. But I had to do it. She couldn’t do it herself, and Canary couldn’t do it remotely.”
Schuh’s experience exposed a little known safety concern that all consumers looking to buy a security camera should know about.
SECURITY CAMERA TEST FOOTAGE
The Investigative Unit wanted to see how many other used cameras allow a previous owner to spy on the camera’s new owner. NBC Bay Area purchased several different brands from various retailers, including a Zmodo EZcam from Fry’s Electronics in Sunnyvale.
Senior investigative reporter Vicky Nguyen set up the camera to send her phone an alert anytime the camera detected motion. She marked the box with an invisible ink pen and returned the camera to Fry’s.
The next day, an NBC Bay Area producer purchased the same camera. Fry's store policy requires staff to ensure that any used camera is properly packaged and marked as an “open box” or “returned” item, before it is resold. However, this Zmodo EZCam was neither reset nor marked as a returned item. This appeared to be an anomaly based on NBC Bay Area’s previous visits to various Fry’s stores where all used cameras were clearly marked.
NBC Bay Area’s producer attempted to set up the EZCam with a new account on a new internet network, the same way any new user would. As soon as the producer connected the EZcam to the internet, Nguyen received an alert that the camera detected motion, and she was able to see the producer setting up the camera. The camera showed our producer a message warning: “The device is already linked to another account.” However, the message did not indicate that the previous account holder (Nguyen) could still see the producer.
Ilan Jacob runs the security firm Sherlock Surveillance. Jacob tested three other brands NBC Bay Area purchased and found similar concerns with some of them.
Jacob’s test found that the Amcrest ProHD potentially allows a previous user to control the camera remotely if someone purchases it used without resetting.
Netgear’s Arlo camera had a similar security concern.
“As soon as I plugged it in, the prior setup I had completely worked,” Jacob explained.
NBC Bay Area reached out to Netgear, Canary, Zmodo and Amcrest to find out if the security gaps we found in our tests could violate the privacy of any real customers.
San Jose based Netgear leads the home surveillance camera market with more than 4 million Arlos sold worldwide. Senior director of software Naveen Changani told NBC Bay Area that the company takes several measures to ensure that user privacy remains protected and prevent what we observed in our experiments from occurring in real life.
“We have a very strict policy here. We do not allow retailers to resell our used cameras,” Changani said. Netgear requires stores to send back any Arlo cameras that have been returned so they can be reset by the factory. The company said it has received very few complaints from consumers about used cameras creating privacy concerns and added the products use bank level encryption and are connected to a secure cloud that allows Netgear to continually upgrade device security.
Netgear said the cameras are designed to allow users with one account to connect to different Wi-Fi networks for convenience without having to open a new account each time they change Wi-Fi networks, in case a user wants to observe more than one home location on the same account.
Amcrest and Canary say they also require retailers to send all used cameras back to the manufacturer so they can wipe the device’s history and recertify them for use. A spokesperson for Zmodo said that any device returned to the company is completely reset and unbound before it is resold.
In addition, the Netgear Arlo, Zmodo EZCam, and Amcrest ProHD all have a reset button that allows customers to kick off a previous owner if they purchase a used camera.
Amcrest CEO Adam Ravat told NBC Bay Area that he first learned about this problem in May 2016, and the company immediately updated its firmware to address the security flaw.
Amazon did not respond to NBC Bay Area’s questions about what happened to Schuh’s used security camera and why it was resold to the woman without being reset.
In a statement, Canary spokesman Bob Stohrer said the camera was never sent back to Canary to be reset, and said it’s unclear what happened to the camera Schuh returned to Amazon.
“What I can say is that there are a number of scenarios that can happen any time a device is in transit, when it is received and when it is in the distributor’s warehouse. This could potentially include lost or theft, where it potentially ended up in the hands of an unauthorized reseller,” Stohrer said.
For his part, Schuh said he’s just glad to get the message out to help security camera users learn how to protect themselves. “There so many horrible people on the internet these days. There are trolls, people who want to do bad things and make people feel miserable. We don't need anymore of that.”