I’ve been waiting for the right time to review some old indoor security cameras for the past several months. It’s not about the brand (Blink) or the cameras (which work quite well thus far!). It’s that every time I prepare to write about them, news like the recent Ring ransomware attack or Eufy’s insecure network would emerge, and I would kick my security cam reviews down the road.
Why? Because I’ve become increasingly uncomfortable recommending any security camera when knowing whether or not the backend is secure has become something only bug bounty hunters and clairvoyants could safely tell you.
When I review a product, I try to be as nitpicky as possible. Not because I want to give a bad review, but because it’s my job to go past the idealized press releases and spec sheets to see the cracks beneath the surface.
You can spot some of those issues with a security camera, like if the video quality or AI detection doesn’t pass muster. But even with the best-possible cameras we’ve tested and loved, there’s always the specter of some unknown breach lurking on the horizon.
That’s not something I (or most tech journalists) are qualified to detect. With a smartphone, we can test most software and security for ourselves, and users have nearly full control to block or enable apps from tracking them. With a security camera, all of that data security is handled remotely, and we can only take the company at its word that it’s protecting your data securely.
The problem is, we really can’t trust a security company to give an honest assessment of its cybersecurity anymore — if we ever could.
Whether they specialize in hardware or software, companies like LastPass or Eufy tend to hide any active breaches for months until they’re made public and then downplay the severity with mitigating circumstances and technical jargon.
Even with the most secure company possible, all it takes is one phishing slip-up or poor safeguards at a third-party affiliate to turn your security camera into a gateway for someone to access your home feeds without you ever knowing.
A never-ending stream of unsettling incidents
Vice (opens in new tab) reported this past week that a third-party vendor associated with Ring had been hit by BlackCat ransomware; Ring employees have been told “do not discuss anything about this,” and we can’t be certain yet what user data is on the line if Amazon doesn’t pay.
Before this latest incident, security researcher Paul Moore discovered that Eufy cameras were sending users’ images and facial recognition data to the cloud without their knowledge or consent, that you could stream anyone‘s private camera feeds from a web browser, and that Eufy’s AES 128 encryption was easily cracked because it used simple keys.
Eufy responded by patching some issues and editing its privacy guidelines to guarantee fewer protections for its users, at which point we recommended you throw away your Eufy cameras.
Compared to the epic scale of the Verkada camera breach, during which 150,000 cameras could be accessed via one master password, most publicly-known flaws with well-known home security systems were relatively minor and occurred several years ago. But there’s still reason for concern.
In some cases, like with Wyze, they hid a major vulnerability with the Wyze Cam v1 for three years until Bitdefender exposed them. Even though “an outside attacker [could] access the camera feed or execute malicious code to further compromise the device,” Wyze justified itself by saying the hacker would need to gain access to your home Wi-Fi, and it patched the issue in its newer cameras.
Before Ring’s ransomware incident, it found itself embroiled in criticism when a source told The Intercept that Ring contractors could watch customers’ footage with nothing but an email address and that Ring execs felt that encrypting footage “would make the company less valuable.”
Ring eventually caved and encrypted its cameras, but it still attracts frequent criticism for giving Ring doorbell footage to the police without user consent.
An ADT technician accessed home feeds 9,600 times under the guise of testing the systems to spy on female customers without their knowledge, per Security Magazine (opens in new tab). Brinks Home accidentally gave customers access to other users’ names, addresses, and phone numbers, but took months to fix the issue after a customer warned them, reports Security Sales (opens in new tab).
I could go on, or you could just as easily Google Search for your favorite security company, add “breach” at the end, and see some perturbing stories.
Accepting the unknown
My overall point is simple: Even popular security companies with seemingly impregnable encryption will make decisions that leave your private data or home feeds vulnerable — or hire someone that exploits their power in disturbing ways. And once that company finds out, there is absolutely no guarantee you’ll find out about it unless someone whistleblows or a security expert catches their mistake.
In this environment, blithely reviewing any company’s security camera on its merits and recommending it to my readers feels irresponsible. It’s my job to do so, and I will write about the Blink Indoor and Blink Mini once it’s clear how its parent company handles the Ring ransomware attack.
But in doing so, I’ll have to include a big caveat that I just don’t know what Blink’s (or any company’s) weakest link is — an unscrupulous employee, an unreliable third-party team, weak encryption, or something else entirely — that could undermine everything useful about that device I’m recommending.
In the meantime, I can point people to security cams with local storage to try and avoid keeping your private footage on company servers (and save on monthly fees). But that’s not always a guarantee of security; case in point, we used to praise Eufy’s cameras as a local storage option before its many issues came to light.