Of the 10 apps that we put to the test, the apps that accompany the Blink and Wyze smart cameras proved to provide the best account security measures
Recently, our research team looked into the account security of app companions belonging to ten IP cameras. Each of these cameras have been listed on Amazon’s “hot new releases” and “best seller” categories.
Avast IoT researcher, Marko Zbirka, looked into whether the apps that accompany smart cameras include a two-factor authentication option, send the owner a notification that someone has attempted to log in or has successfully logged in from a new device, especially if the login attempts came from a device appearing to be on the opposite side of the world, and if the length of account passwords was restricted.
The 10 different IP cameras, all of which have cloud functionality, are as follows:
- Blink
- Wyze
- YI IOT
- YI Home
- Wansview Cloud
- MIPC
- Jawa
- CloudEdge
- Amcrest Cloud
- iCSee
The apps accompanying these cameras have all been downloaded 50,000 times or more, and four of the ten have been downloaded more than one million times.
Checking account security
Our team’s researcher downloaded the apps used to connect and control the cameras and created accounts for them. After successfully logging in, he checked for an option to change the accounts’ password and set up two-factor authentication for the accounts. He then used a second phone with a VPN app to connect to a server abroad, so that the communication from the second device would go through that server and thus anything being sent from the device would appear to be coming from a device located abroad.
“I intentionally attempted to log in to my own account using wrong passwords more than 10 times to see if any kind of brute force attempts would be detected by the apps. After that, I used the correct login credentials to log in to see if I received a notification about a new login from a different device and location,” said Marko Zbirka, IoT researcher at Avast. “Following this, I checked if the traffic between the app and the manufacturer’s server was encrypted. Of the ten apps I looked at, only two had what I would consider an acceptable level of account security measures.”
The two apps that provided the best basic account security out of the ten, according to Zbirka, were Blink and Wyze. The Blink app requires users to enter a one-time password to add a new device, a one-time password to change the account password, and notifies users in case of brute force attempts or when a login is made using a new device.
Wyze offers two-factor authentication, although not set by default. The app gives users the choice to have the authentication code sent via text message or authenticator app, which eliminates the risk of anyone gaining access should the email account linked to the account be compromised. Wyze also notifies the user — not the user of the account, but the user attempting to log in — if too many login attempts were made.
“I was hoping all of the apps would have some kind of two-factor authentication preferably via an authenticator app, no set maximum for password length — some of the apps restricted the password length to 16 characters — and notifications notifying the user of logins from new devices or from unknown locations,” says Zbirka.
According to Zbirka, the MIPC app provided the least favorable account security, as it provides no brute force protection or notifications. The password reset procedure is transmitted over HTTP, meaning it is unencrypted.
Things you should consider when choosing an IP camera
When considering purchasing a cloud-connected IP camera to use in a home or office space, Zbirka notes that it’s important to not only look into how often the device receives software updates, but also to pay attention to the level of account security the accompanying app provides. Ideally, an app should make use of the following security measures:
- Offer two-factor authentication, preferably via an authenticator app
- Have no set maximum for password length (some of the apps restricted the password length to 16 or 32 characters)
- Send push notifications informing users of logins from new devices or from new locations
Check out the full analysis of our team’s research on Avast Decoded.