They are practically everywhere these days. They are available for indoors and outdoors, small and large. They have insight into the most private and secure areas of our apartments, houses and workplaces. They can usually even see in the dark, react to every movement and monitor our gardens, backyards and pets. We are, of course, talking about “IP cameras”.

Hardly any other product category in the Internet of Things has such a wide range of products as smart cameras, and precisely because they are so popular, there are unfortunately still many products today where security is not necessarily a priority. Reports of vulnerabilities are not uncommon and the consequence is that attackers or, in the worst case, the entire Internet can access the camera and then the user quickly goes from being a watcher to being monitored.

In order to provide interested users with an overview of the most common products and their level of security, we are now also introducing the “IP cameras” product overview following our smart lock comparison. This will again list all the products we have tested and certified and provide a security assessment of them. In addition, we will again try to keep it as up to date as possible and adapt or expand it if necessary and/or new findings emerge.

The contenders

With a product category as popular as IP cameras, it is hardly surprising that new products are constantly being added to the range – a comprehensive overview is more difficult than in any other product category. When selecting the products that we test here, we therefore look again at the popularity of the individual product and select test candidates based on related criteria (e.g. sales figures and ratings in popular electronics stores). As mentioned, outdated devices can also be removed and current devices added.

Eufy eufyCam S330 (eufyCam 3)

The Chinese technology company Anker has been marketing smart security cameras under the Eufy brand for some time now, alongside e.g. vacuum cleaners and robot vacuum cleaners. A few years ago, we already had a model of the security camera (eufyCam 2) in a Quick-Check and at that time we already noticed some points that suggested potential security problems. Our assumption was later confirmed when a relatively serious vulnerability was discovered that allowed unauthorized persons to access the camera stream, even if this required special attacker knowledge. As the Eufy cameras are still very popular with buyers despite everything, we couldn’t help but take a look at the latest version of the Chinese surveillance camera.

In addition to the camera itself, the Eufy Homebase 3 is also required to operate the camera, which can manage other compatible devices in addition to the cameras and handles communication with the cloud. A Homebase can be paired with up to 16 individual cameras and also serves as a local repository for recorded video data thanks to the built-in 16 GB memory, which can also be expanded by using a conventional hard disk.
The cameras themselves can be installed wirelessly and then communicate with the Homebase via Wi-Fi. Power is supplied via a solar panel attached to the top of the camera. The manufacturer states that 2 hours of sunlight per day are sufficient to keep the camera permanently charged under normal operating conditions. Otherwise, the Eufy camera system basically offers everything you would expect and even more: 4K video recording, two-way audio function and compatibility with the two most popular voice assistants from Amazon and Google are pretty standard. In addition, AI is also used in the form of Bionic Mind, which allows, for example, learning trustworthy persons and thus a smart alarm function that only sounds an alarm if persons are recognized who are not known to the system. Other features include, for example, the ability to set monitoring zones, which means that a camera can be configured to monitor only defined zones rather than the entire area it can see. The option of automatically displaying daily security briefings, which summarize all security incidents of the day, is certainly also of interest to some users.

In terms of security, the Eufy solution tries to keep up with the rich selection of features, but as with its predecessor, some important points are overlooked. The communication of the mobile applications does not look bad in and of itself: During the analysis, we were only able to observe TLS encrypted communication for control and authentication purposes, in which encryption is applied once again to the actual payload in addition to the TLS encryption layer – so the actual payload data is actually encrypted twice here. This is certainly not necessary with an adequate implementation of TLS communication, but is of course not harmful either.

Additional encrypted payload for communication that is already TLS encrypted

We are just not quite sure whether the extra effort (after all, an additional key exchange via ECDH had to be implemented for this) was really taken on for security reasons or whether it was actually intended to hinder the analysis of the communication. It is also possible that the encryption for video data transport via UDP was simply reapplied to all other communication if it was already in place – just to be on the safe side. In any case, the app communication does not appear to have any obvious weak points.

When it comes to Homebase 3 communication, however, things look a little different: The communication is also TLS encrypted, although the implementation on the device side does not appear to be completely correct or complete. In the test, it was possible to break the encryption and gain access to plain text communication via a simple man-in-the-middle attack – adequate certificate checks do not seem to be in place or are incomplete. Theoretically, this opens up a number of attack scenarios, from replay attacks to direct manipulation of communication between the Homebase and the cloud. If several encryption layers are implemented for the communication of the app, at least one functioning one should be implemented for the communication of the Homebase.

Homebase communication (example configuration)

Apart from that, there are only a few other minor points to mention regarding security. For example, the app can be installed on outdated Android versions (Android 8, API 26), which have a whole list of known vulnerabilities – not a fault of the app developer, of course, but for security-relevant apps we would always recommend using a correspondingly up-to-date OS version.

In terms of data protection, the solution is actually quite solid. The only trackers that can be reliably identified are the two Google modules CrashLytics and Firebase. The search for known proprietary libraries also provides hardly any information. Although it contains around 100 shared libraries, only one of them can be identified.

The data protection analysis of the Eufy solution then shows a fairly solid, if not perfect, picture. The privacy policy for the solution is perfectly fine and provides the user with all the essential data on data collection, processing and storage. A fairly extensive collection of data can be observed, but since the user is informed about this, no real criticism can be voiced here. The fact that, strictly speaking, the whole thing is not GDPR-compliant, as data is collected even before the privacy policy is actively accepted, was to be expected here, as is so often the case, but was certainly not intended by the developers.

Overall, the Eufy solution is not bad in principle. It is certainly a good solution in terms of functionality, but there is still room for improvement in terms of security and the implementation of data protection. In the past, the previous versions had even bigger problems, which have obviously been worked on, but the inadequately secured communication of the Homebase is still a big problem. Especially as we have only scratched the surface here. Overall, we can therefore award no more than 1 out of 3 stars from a security point of view.

Aqara Camera E1

The E1 model from Aqara is a 360° camera that advertises person tracking. It is compatible with multiple platforms such as Apple Home, Google Home and Alexa. Users have the option of using encrypted cloud storage with a subscription (with 24 hours free storage for critical events) or storing the data locally on a microSD card and additionally backing it up via SMB3-compatible NAS storage. The camera is connected via Wi-Fi 6.

There were no serious problems in our Quick-Check, but we did notice a few minor points of improvement. In the static analysis of the application code, we noticed that the libraries used could be better protected, especially since the Android app acts as a wrapper for these libraries.

The dynamic analysis showed that trackers such as Google Crashlytics, Google Firebase Analytics and Facebook were already communicating before the user could read the privacy policy. This constitutes unlawful data transmission without the user’s consent and should be stopped as a matter of urgency. This is particularly regrettable as the privacy policy is very comprehensive and provides detailed information about the use of trackers – a rather rare case.

Communication between the app and the server takes place via TLS1.2 encryption, which ensures secure data transmission. After removing the encryption by modifying the app source code, it was found that all requests are protected by a token. This token is issued after login. The login process can be carried out either via an authentication code that the user receives by email or by entering a password directly.

Authcode Login
Authcode Login
Password Login
Password Login
Login - Result
Login – Result
P2P connection request to camera
P2P connection request to camera
P2P connection request to camera - Result
P2P connection request to camera – Result

The camera also offers a Bluetooth connection to the app to enable simple pairing. Other notable functions include the option to log in using two-factor authentication (2FA) with a password and email. However, this security measure should be standard nowadays. The app also provides an overview of all devices accessing the account and shows the time of the last login. Devices can also be logged out here.

Another feature that Aqara describes as “Enhanced Privacy” is the ability to set predefined positions to which the camera can move (for example, to a wall), as well as disabling the two-way audio function. However, if the camera is sold in Germany, it should also offer zone monitoring to meet data protection requirements. Otherwise, it could not be used in places where public paths are in the field of view, such as the entrance to the front door, as the 360° field of view always also covers the sidewalk in front of the property.

A special feature of the camera is that it can be automated. However, it would be desirable to offer predefined scenarios such as sending a push message when movement or a person is detected. Currently, the user has to create these scenarios manually before they can be used.

Overall, the Aquara solution only allows itself minor points in terms of security, but we simply have to deduct one star for the strictly speaking illegal data collection. Unfortunately, we see this behavior regularly and need to start drawing more attention to it.

Anran P3 Max

The Anran P3 Max is a 360° camera equipped with people tracking and two-way audio communication. It also offers an alarm function with siren and three different night vision modes: infrared, color night vision and an alarm mode. The camera also advertises 5 MP ultra HD resolution and continuous 24/7 recording.

In our Quick-Check, we first subjected the app to a static analysis and found that unencrypted plain text traffic is permitted. This setting should be deactivated by default to ensure secure communication. In addition, the app supports outdated Android versions (from Android 5.0, SDK 21), which is problematic as these devices may no longer receive sufficient security updates. Even the most secure app cannot protect if the underlying operating system is vulnerable.

During the dynamic analysis, we discovered that three trackers (Google Crashlytics, Google Firebase Analytics and Bugly) were active before the user could read the privacy policy. This constitutes unauthorized data transfer without the user’s consent and should be corrected urgently. The privacy policy itself is very detailed and provides the user with comprehensive information, including the use of trackers such as Google and Facebook. However, there is no reference to the use of Bugly.

Communication between the app and the server takes place via TLS1.2 encryption, which ensures secure data transmission. After removing the encryption by modifying the app source code, it was found that all requests are protected by a token. This token is issued after login. Login is only possible using a password, as there is no option for two-factor authentication (2FA). The camera also supports the ONVIF standard, which the user can activate in order to integrate the camera into an existing security system. In this case, a connection is first established via HTTP before communication takes place via RTSP (Real-Time Streaming Protocol).

Login
Login
Login - Result
Login – Result
ONVIF Login
ONVIF Login

The connection to the camera is established via 2.4 GHz WiFi (no 5 GHz), whereby the WiFi password is read by the camera via a QR code.

Other functions include motion and noise detection as well as encryption of the recorded data. Unfortunately, however, there is no zone monitoring, just a simple on/off function for the camera lens. Push notifications are available when motion is detected, but without a video clip unless you subscribe to the cloud service. However, videos can be created manually and saved locally on a microSD card.

Finally, it should be mentioned that the P3 Max is a weatherproof outdoor camera designed for outdoor use.

An initial quick check of the Anran solution did not reveal any really critical points in terms of security. In terms of data protection, however, we have the same problem of unlawful data collection as with the two previous test candidates. More than 2 out of 3 stars are therefore not possible here either.

Yale Wi-Fi indoor camera

The Yale Wi-Fi indoor camera is an indoor camera equipped with motion detection and two-way audio communication. It also offers video resolution in 1080p Full HD.

In our quick test, we first subjected the app to a static analysis and found that unencrypted plain text traffic is permitted. This setting should be deactivated by default to make communication more secure.

During the dynamic analysis, we were pleased to find that no trackers were activated before the user was able to read the privacy policy. The privacy policy covers all essential points, but is less detailed compared to the previously tested cameras. It is worth noting that no trackers were found in our static and dynamic analyses – a rare feature that makes the app stand out positively in terms of data protection.

Communication between the app and the server takes place via TLS1.2 encryption, which ensures secure data transmission. After removing the encryption by modifying the app source code, it was found that all requests are protected by a token. This token is issued after login. By default, a password is used to log in. Two-factor authentication (2FA) is also available, which is implemented via a fingerprint sensor. The camera also supports the ONVIF standard, which the user can activate to integrate the camera into an existing security system. In this case, a connection is first established via HTTP before communication takes place via RTSP (Real-Time Streaming Protocol).

Login and Result
Login and Result

The camera is connected via Wi-Fi and is compatible with the Google Assistant. Other functions include night vision and the option to save data locally on an SD card. The camera supports data encryption and sends push notifications when motion is detected, although the recordings are only saved locally on the SD card.

One vulnerability we noticed concerns the password change: it is possible to change the password without having to re-authenticate, while re-authentication is required to extract log data. This could represent a potential security vulnerability. On a positive note, the privacy mode that covers the lens of the camera and zone monitoring, which allows certain parts of the image to be hidden to protect privacy.

Another notable feature is support for the ONVIF standard, which allows the camera to be integrated into an existing security system.

Overall, the Yale solution is not guilty of anything really serious and also impresses from a data protection perspective without any major conspicuous features. Accordingly, it is also rated with the full 3 out of 3 stars.

Blink Outdoor 3

The Blink Outdoor 3 is an outdoor camera equipped with motion detection, two-way audio communication and 1080p HD video resolution. It also has infrared for night vision, making it a versatile surveillance solution.

In our Quick-Check, we ran a static analysis on the associated app and found that unencrypted plaintext traffic is allowed for a specific domain (172.16.97.199). This setting should be deactivated by default to ensure the security of communication. In addition, the app’s certificate is signed with the SHA1withRSA algorithm, which is known for its susceptibility to collisions. Furthermore, the app supports outdated Android versions (from Android 9, SDK 28), which can be problematic as they may no longer receive the latest security updates. A secure app can do little if the operating system itself has vulnerabilities.

During the dynamic analysis, we discovered that three trackers, including Google Firebase Analytics, were already activated before the privacy policy was read. This constitutes unauthorized data transmission without the user’s consent and should be rectified as a matter of urgency. The Google Crashlytics tracker was also found. The app’s privacy policy is generally well structured and informs users about their rights and powers. However, there is no direct contact person (neither phone number nor email) in the privacy policy, and the support ticket link provided led to a 404 error message (page not found).

Communication between the app and the server takes place via TLS1.2 encryption, which ensures secure data transmission. After removing the encryption by modifying the app source code, it was found that all requests are protected by a token. This token is issued after login. Login takes place via two-factor authentication (2FA). First, the password is checked, followed by a request for an SMS PIN.

 

Login Password
Login Password
Login Password - Result
Login Password – Result
SMS PIN
SMS PIN
SMS PIN Ergebnis
SMS PIN – Result

The camera is connected via Wi-Fi and requires the Sync Module 2 to function. It is battery-powered and weatherproof, making it ideal for outdoor use. Other features include night vision and the ability to save recordings locally on an SD card. When motion is detected, the camera sends push notifications, and if the cloud service is active (one month free), the recordings can be displayed immediately in the app. Without cloud access, the notification is sent without immediate video display, which can lead to a delay in retrieving the recordings from the SD card.

A positive aspect of the Blink Outdoor 3 is zone monitoring, which allows certain areas of the field of view to be unmonitored to better protect privacy.

In terms of security, there are also no serious points to note with the Blink camera. Unfortunately, the privacy policy does not provide full information on all essential topics and there is also evidence of unlawful data collection before the privacy policy is accepted. Overall, we therefore give it a good 2 out of 3 stars.