Smart security cameras that can catch a thief in the act can be a great tool for protecting your home, but they’re also a gateway for hackers to spy on you because they can access them through the internet. No wonder, then, that in a nationally representative survey conducted by Consumer Reports in 2018, 54 percent of Americans considered loss of privacy a reason not to use smart devices.
News stories about home security cameras getting hacked have become all too common. You may recall one viral story from January 2019 concerning a California family’s Nest security camera being hacked to play fake warning messages that North Korea launched missiles at the United States. According to The Mercury News, the family’s eight-year-old son was so scared that he hid under the living room rug. It was only after calls to 911 and Nest that the frightened family realized they were victims of a hack.
Nest sent an email to its customers offering tips on how they can protect themselves, but Nest itself wasn’t breached—hackers probably got the log-ins to the family’s account by other means.
How Hacks Happen
One way security cameras are vulnerable to hacks is through a technique called “credential stuffing.” Hackers use usernames and passwords from other data breaches (that other hackers share online), to gain access to accounts. The combination of large data breaches, such as those at Equifax and Target, and consumers re-using the same passwords—52 percent of internet users reuse or modify the same passwords—makes the work easy. In recent years, hackers have made the login credentials for over 8.2 billion online accounts available on the internet.
Because this type of hack doesn’t require a breach of a security camera company’s systems, every brand of camera is at risk. “These companies aren’t technically at fault,” says Robert Richter, who leads security and privacy testing for Consumer Reports. “Most companies offer a two-factor authentication system that acts as an extra deterrent against attacks like this, but there is more that these companies could do, like encouraging people to use that added security feature by default.”
How to Protect Yourself
Data breaches and subsequent credential stuffing attacks won’t be going away anytime soon, but there are actually simple steps you can take to reduce the chances your security camera will get hacked.
- Keep your camera’s firmware up to date. Manufacturers that are serious about protecting their cameras will routinely release firmware updates that fix software bugs and patch security vulnerabilities. Some cameras will automatically download and install these updates, while others require that you check for updates on your own (typically, you’ll find an update button under the settings menu in your camera’s app).
- Change your camera’s password. In a nationally representative CR survey on data privacy conducted in May 2019, 13% of respondents with at least one online account say they use the same password for all their accounts. That makes it a cinch for hackers to gain access to multiple accounts. Always create a unique password for each account. Here’s the best way to do it:
Do: Use something long and complex—like a random phrase or string of characters—with numbers, symbols, and both uppercase and lowercase letters.
Don’t: Include any personally identifiable information, such as names, birthdates, etc. Hackers can often get this information from public social media profiles, such as those on Facebook or Instagram, and then use it to guess your passwords and gain access to your accounts. You also want to avoid simple, commonly used passwords, such as SplashData’s 100 worst passwords of the year. For more tips on strengthening your passwords, read our tips for better passwords.
- Set up a password manager. These programs generate incredibly strong, random passwords for your digital accounts, securely store and remember them for you, and even automatically insert them into login prompts. Many password managers are free to use and available on an array of devices and web browsers.
- Set up two-factor authentication if your camera offers it. This extra layer of security involves you opting to have the camera company send you a onetime-use passcode via a text message, phone call, email, or authentication app that you input in addition to your username and password when you log in to the account. That way, if a hacker cracks your password, they still won’t be able to access your camera unless they also gain access to your onetime code.
Not all camera companies offer two-factor authentication, though. Among the models in CR’s home security camera ratings, only three major brands currently do: Amazon, Nest, and Ring.
All of these methods can improve your chances of avoiding a hack, but know that they’re not foolproof. “None of these methods will work perfectly on their own,” says Richter. “But right now, these measures are our best tools. Use them all!”
Top Cameras With Two-Factor Authentication
Consumer Reports conducts data privacy and security tests on wireless security cameras to help you find models that are as secure as possible. Cameras that include two-factor authentication receive a higher score. Our experts also inspect the user interface and network traffic from each camera and its companion smartphone app to make sure it’s using encryption, adhering to manufacturer policies, and not sharing your data. We evaluate each model’s public documentation (such as privacy policies) to see what claims the manufacturer makes about the way it handles your data.
Below are a few cameras that do well in our data privacy and security tests and which offer the extra security of two-factor authentication. They’re listed in alphabetical order by brand.