Bolstering your smart home security with some Amcrest cameras sounds like a great idea.
These cameras are affordable, good-quality, and record up to 4K. But are Amcrest cameras secure?
Amcrest cameras aren’t secure because they suffer from several critical vulnerabilities, such as CVE-2019-3948 and CVE-2017-8229. These vulnerabilities allow a hacker to access the cameras without authorization credentials. The hacker can then see and listen to you through the Amcrest camera.
Amcrest cameras have decent hardware, but, unfortunately, they just aren’t very secure.
This article will cover a few important security facts that you should know before buying a new Amcrest camera.
1. Amcrest Rebrands Dahua Cameras (a Chinese Company)
Before talking about all those CVE cybersecurity vulnerabilities, let’s first explain what Amcrest cameras are.
That wouldn’t be a problem if Dahua Technology wasn’t a partially state-owned Chinese company.
There’s nothing wrong with products made in China.
However, government-owned tech companies are subject to China’s laws. Their government has access to all the data collected by those companies.
That’s exactly why the FCC considers Zhejiang Dahua Technology a threat to the U.S.
Having the Chinese government collect your sensitive data is already a huge concern.
This concern becomes even bigger when it’s a camera with a microphone we’re talking about.
So, this whole conundrum quickly turns into a Big Brother-style surveillance program.
2. Hackers Can Listen Through Your Amcrest Camera
Let’s start by talking about a somewhat recent exploit named CVE-2019-3948. It affects pretty much all of Amcrest and Dahua’s cameras.
So, what about it?
In a nutshell, a hacker can access your camera’s microphone and listen to all the audio captured by it.
Frankly, “hacker” is a huge overstatement here. You could access your neighbor’s camera if you tried hard enough.
You shouldn’t do this because it’s illegal, but here’s a YouTube video demonstrating just how easy it is:
The main security concern here is that you can do it over HTTP. In simpler terms, you can do it through any computer browser that has access to the Internet.
And the worst part is that you don’t even need a password to download the audio file.
So, a hacker can get complete access to all your conversations without you knowing. This can lead to some horrible stuff like:
- Identity theft.
- Credit card fraud.
So, what use is a security camera that leaves you more exposed than not having it in the first place?
3. Hackers Can Easily Gain Access to Your Amcrest Camera
CVE-2019-3948 alone is a huge concern. Unfortunately, we’re only getting started with these critical vulnerabilities.
CVE-2017-7927 allows a hacker to use a password hash instead of an actual password to access a camera.
This basically means that a hacker can log into your camera without ever having to get your password.
Another exploit called CVE-2017-8229 is even more concerning. It lets a hacker download your credentials and use them to log in.
This vulnerability has a score of 9.8, so it’s about as bad as it can get.
The hacker can easily access your camera and see all your recordings as well as the live feed.
It can’t get worse than this now, can it?
Oh yes, it can.
CVE-2017-13719 is yet another exploit with a score of 9.8. It’s similar to the first two, but this one is a memory corruption exploit.
The hacker can access all your data over an HTTP request by forcing their way through any security measures.
The list of extremely critical vulnerabilities goes on.
All these vulnerabilities apply to most Amcrest and Dahua cameras. Firmware updates might fix some of them, but not all.
At this point, there are too many vulnerabilities to fix.
Note that these vulnerabilities are from 2017, as their name suggests.
Amcrest has known about them for years but never fixed them.
This decision (or lack thereof) tells you how much they really care about your privacy and security.
Such exploits would already be bad enough on any smart home gadget. On a security camera, it’s unacceptable.
You might also like: Can Alexa be hacked?
4. The Amcrest Account Security Lockout Doesn’t Work
The previous point talked about a few exploits that hackers can abuse to access your Amcrest camera.
Unfortunately, it doesn’t end there.
Amcrest, like pretty much any other tech company, has a built-in account lockout after incorrect password attempts.
In Amcrest’s case, it’s 30 wrong attempts.
However, an attacker doesn’t get locked out of your account because of the CVE-2017-8227 exploit.
In other words, Amcrest’s security features are absolutely useless in protecting you from hackers.
They’re very good at locking you out if you forget your password, though.
5. IoT Devices Aren’t Secure, To Begin With
The Internet of Things, often called IoT, describes the connection between your various smart home gadgets and your router.
It’s a neat technology that allows us to control our smart homes.
However, it’s inherently insecure.
In many cases, this interconnectivity between devices and home automation allows a hacker to access multiple devices at once.
We have already established that Amcrest devices are incredibly easy to hack over HTTP.
If your camera connects to any other smart home gadget, a hacker might also be able to access these other gadgets.
For example, imagine if you had a couple of Amcrest cameras and an Amcrest Smart Lock that were all connected.
An attacker could easily hack both your cameras and lock without ever coming near your home.
They could disable them and walk into your home without lifting a finger.
Another huge concern with IoT gadgets is that manufacturers aren’t obliged to update their devices.
Maybe you’ll get a few security patches and features updates.
However, after a couple of years, development usually stops, which means that you’ll have to upgrade your devices (or remove them) to ensure you stay safe.
So, all security vulnerabilities in your Amcrest camera and other gadgets will never get fixed.
There’s no way to fix this yourself. Just owning the device puts you at a massive security risk.
This is true for Amcrest cameras and all other smart home gadgets, to an extent.
Should You Buy an Amcrest Camera?
You shouldn’t buy an Amcrest camera because it suffers from several critical security exploits. A hacker can access the camera without authorization, listen to audio recordings, and watch the live feed. The camera’s security features don’t work correctly, and the hacker has unobstructed access.
As mentioned, the worst thing about Amcrest cameras is that malicious actors can abuse all of the exploits mentioned above over HTTP.
So, a hacker from another part of the world can see and hear everything your camera picks up.
Amcrest cameras have great video and sound quality for their price. Unfortunately, that helps an attacker more than it helps you.
Your camera can pick up a lot of information that someone can use against you.
It might record your credit card information when you open your wallet or buy a new couch pillow on Amazon.
Or it could even record when you go on vacation and allow a thief free access to your whole home.
So, Amcrest cameras aren’t worth the risk despite their excellent value.
Amcrest cameras are supposed to protect you and your family from intruders.
Unfortunately, the cameras are rebranded Dahua devices that are owned by the Chinese government.
Even if that wasn’t the case, several security flaws in the camera’s firmware leave you exposed.
Amcrest can’t and won’t try to fix these risks, so you’re on your own.
All that being said, you shouldn’t buy an Amcrest camera.