Spyware, Viruses, & Security forum

Alert

Amcrest ProHD Camera Serious Security Issue

by Dorloran / May 25, 2016 9:05 AM PDT

I am able to see through the Amcrest camera that I no longer own into the new owners bedroom!!

I purchased the Amcrest ProHD 1080P internet security camera from Amazon in late February, 2016. Dissatisfied with the software--particularly the Motion Detection Notifications settings--I returned the camera to Amazon; they received it April 2, 2016. I deleted the App on my iPhone, and had already set the email motion detection notifications to go to my Junk mail because I was getting hammered by them.

On Friday, May 20, 2016, I noticed that I had over 1500 Junk emails. Opening the folder, I discovered that beginning April 14, 2016, to present, I was getting motion detection notifications from the camera. I was baffled--before I returned it, I wiped and reset the camera to out-of-the-box status.

Opening a notification email gave me a link to Amcrestcloud. Going there, I was able to log in, and had the option to Liveview the camera. When I did--I WAS LOOKING INTO SOMEONE ELSE'S BEDROOM! I also had access to the 4-hour loop timeline and I could control the camera (pan, etc). I was appalled. I immediately showed my wife what was going on, and she was sickened.

I shut down the access and contacted Amcrest support--they not only were baffled by what was going on, they seemed more concerned with trying to get the notifications to stop. I explained that the notifications were NOT the problem--the problem is that I can see into someone else's bedroom through the camera! They took my info and promised to call back, but nothing.

I then contacted Amazon, and in the most forceful language I put them on notice of the horrific security, privacy, and ethical issues with this product. I asked that they notify everyone who had purchased this product, and/or put a warning on their site, and/or stop selling the product until the issue is resolved. I received a more or less stock response from their customer service rep and in an email reply to an email I sent them, documenting the problem.

I cannot contact the young lady into whose bedroom I can see, and neither Amcrest nor Amazon seem concerned. I'm looking for guidance and advice. This issue needs to go big and people need to hear loud and clear about this problem. Any help or getting the word out is greatly appreciated.

I have taken screen shots of the email notifications, the email itself, and others to document the situation.

Thanks in advance.

********************

2/9/2017 Note: edited by Forum Admin to include update and response from Amcrest directly

Attention: This is a direct response from Amcrest 2/09/2017

We at Amcrest apologize for any distress this may have caused you. Please note, this is a rare occurrence. Typically, only when third-party sellers resell returned cameras without first removing their camera settings from their cloud account may the issue arise.

Our practice is to require all our retailers to send us back all returned cameras so that we may remove the camera from the Cloud and perform a hard reset on the camera before resale. So for customers who buy Amcrest products from Amcrest authorized sellers and resellers, this should be no problem.

Note that at Amcrest, we have several measures in place to prevent this from happening including:

1. Notifying Amazon and all authorized retailers of this issue and requiring them to return all used/returned cameras to us directly so that we can remove them from the Cloud. Retailers are not authorized to resell used cameras.

2. A new firmware update which removes the camera from the cloud whenever a hard reset occurs. Thus, even if a used camera is sold to a new customer without going through our facility, the camera will be disassociated from the cloud once a hard reset is performed.

3. Latest firmware having additional security measures which require Amcrest Cloud users to also provide the username and password of their camera as well as their Cloud login to ensure the camera in their possession is the same as the camera associated with their Cloud account.

We will also require all Amcrest Cloud customers to re-authenticate their account with their camera credentials.

The security and privacy of all of our customers is our #1 priority.
We would be more than happy to address any questions or concerns you may have. Please contact us directly at amazon@amcrest.com, as you purchased it through Amazon. The email will go directly to us and not Amazon and I promise we will do everything we can to assist you or answer any questions. Thank you for your time and understanding. We hope we were able to clear up any concerns you may have.

Armcrest Team

Discussion is locked
You are posting a reply to: Amcrest ProHD Camera Serious Security Issue
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: Amcrest ProHD Camera Serious Security Issue
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Yup. Not a new issue.
by R. Proffitt Forum moderator / May 25, 2016 9:27 AM PDT

While it's upsetting the horrible truth is that many webcams are accessible without name and password. This has been kicked around for years now.

So if folk don't secure their cameras there's little to add here.

However I am encountering folk that think it's the product maker/seller's responsibility to lock it down. And that is debatable.

Collapse -
General Risk or Inherent Flaw in this Product?
by Dorloran / May 25, 2016 9:50 AM PDT
In reply to: Yup. Not a new issue.

Well, at least thank you for responding. If "this has been kicked around for years now," that would explain the apparent lack of urgency on the part of both Amcrest and Amazon. Now, if I could only lose the lack of urgency on my part and the memory of the sick feeling I got upon discovery I still had access to this camera.

I understand, of course, that any internet-connected device poses at least some level of security and privacy concerns and vulnerabilities. But, I'm a tech guy myself and wiped the camera before I returned it. And, at least anecdotally, I do not think the average user of these devices see them as a security risk. For example, it's an "internet security camera" that's supposed to, well, make you secure. It's ironic in the least that the device itself would make one more vulnerable.

And, while I agree that the debate about who is responsible for locking down the device has good points on all sides, I wonder if in this particular instance my ability to still see through the camera is a huge flaw that is inherent in this device's software as opposed to, say, someone willfully trying to "hack" or access the device with purpose. For me, in this instance, that's what concerns me.

Thanks again for responding. I do hope to hear from others.

Collapse -
Here's an article about well, it.
by R. Proffitt Forum moderator / May 25, 2016 10:02 AM PDT

http://null-byte.wonderhowto.com/how-to/hack-like-pro-find-vulnerable-webcams-across-globe-using-shodan-0154830/

So the internet is full of folk that scan the web for hits that indicate a web cam or such is there. Now most owners can't deal with securing the product and the makers can not publish a book on security as no one I know will read it.

That link has dozens of default name and passwords for many models too.

I know it sounds horrible but security today is up to us.

Collapse -
Misses the Point?
by Dorloran / May 25, 2016 10:45 AM PDT

Don't mean to argue and you can have the last word, but I think your posts miss the point.

I am -not- a hacker, and I don't scan the internet looking for web cams. I did not look into this woman's bedroom by intent. I am able to do it by accident.

I might be wrong here, but I think there is a huge difference between realizing that -any- internet web cam is vulnerable to hacking vs. the horrific misfortune of receiving email notifications that I can open and peer into an unsuspecting someone's bedroom, with no effort or intention on my part.

I just think the "everything is vulnerable on the internet" misses the point here. I am not acting by intention, or nefariously, or through intent or effort. There is obviously an inherent flaw in the software of this device. That is quite different from saying that the software is vulnerable to hacking.

The problem is a -flaw- in the Amcrest software that automatically makes it vulnerable with no action or intent needed on my part; indeed, it has -invited- me into this unsuspecting young woman's bedroom.

Thanks again, though, for the response.

Collapse -
I agree with you here.
by R. Proffitt Forum moderator / May 25, 2016 10:57 AM PDT
In reply to: Misses the Point?

Let me share that one of my jobs had me travel to The East (where these things are made) and their software is definitely years behind where it needs to be in the areas you are asking about.

Wishing the industry would wake up and address it but that's not happening.

Collapse -
Possible?
by Fishstyx / August 31, 2016 12:32 PM PDT
In reply to: Misses the Point?

Do you still have your online "AmcrestView.com" account with those devices registered by serial number? When the cameras are reset to factory defaults, they will, by default, phone home to amcrest website and register their serial number. If the new owner never changed the default Admin/admin logon, you can get back into the camera whenever it has Internet access.

Collapse -
To be clear, this is NOT like the other camera exposures
by scottprive / February 25, 2017 11:40 AM PST
In reply to: Yup. Not a new issue.

A couple of additions:
1) The latest Amcrest software fixes this.
2) This is more to be educational than anything else, since it is fixed.
The Amcrest Cloud problem was nothing at all like the "old issue" of exposed cameras on the Internet. In fact the Amcrest Cloud was designed to fix THAT problem.

The "not a new issue" with most cameras means opening ports on your router and forwarding them to your camera (so now it is "exposed" to port scans and the Internet), coupled with the fact people weren't resetting default passwords.

Amcrest was different. When you got an Amcrest camera, the camera has an ID. That ID gets associated with your cloud account. The camera pushes video to the cloud. The Amcrest Cloud client (or notifications) would simply ask the cloud server for a particular camera ID (oversimplified here) that has pushed video to the cloud.

The problem was: returning the camera, or erasing the camera, does not change this piece of ownership configuration because it was stored on the Amcrest Cloud servers. Based on the Amcrest response, it looks like the client looks for cameras using not just the camera ID but the account name as well (probably also oversimplified), but the point is that combination will be unique to a camera owner even if the camera is sold or given away. So it's fixed.

Collapse -
same issue
by trongcnet / August 26, 2016 3:27 PM PDT

I am looking at someone livingroom now. Same problem. I wonder if anyone is looking in my camera. This is a terrible privacy problem. Do not have sex in your house if you have Amcrest camera there connect to cloud.

Collapse -
Same issue with me
by jancewicz123 / May 2, 2017 11:16 PM PDT
In reply to: same issue

Similar issue is coming with me also.

Collapse -
jancewicz123, have you read the update from Amcrest..
by Lee Koo (ADMIN) CNET staff/forum admin / May 3, 2017 9:33 AM PDT
In reply to: Same issue with me

in the original post and contacted them directly?

If you haven't please give it a read and contact them.

Thank you,
-Lee

Collapse -
Response to Security Concerns
by Amcrest_Support / October 7, 2016 11:26 AM PDT

Hello Dorloran,

We apologize for any distress or inconvenience which you have experienced. We are aware of this issue and wanted to reassure you that this type or error only occurs with used cameras where the previous user has not disassociated the camera from their existing cloud account. For example, this may happen where a user has returned a camera to Amazon and Amazon sells the used camera to a new customer or where a user has resold their used camera through Ebay or some other method without firstly removing their camera from their cloud account. The issue does not affect new cameras at all and only affects previously used cameras that have not been properly removed from the cloud.

We wanted to assure you that our protocol for receiving returned units is to first remove the camera from the cloud and then to perform a hard reset on the camera. This type of error would only have occurred where used cameras are sold directly by end users or retailers without first notifying us about the change in ownership of the camera so that the camera could be removed from the previous owner's cloud account.

We have rectified the situation by putting the following security remediation measures in place:

1) We have notified Amazon as well as all other retailers of this issue and required them to return all used/returned cameras to us directly so that we can remove them from the cloud. Amazon and other retailers are no longer allowed to sell used cameras directly without having the cameras go through our facility first and us removing the cameras from the previous user's cloud account.
2) In addition, we have released a new firmware update which essentially removes the camera from the cloud whenever a hard reset occurs. Thus, even if a used camera is sold to a new customer without going through our facility, if the new customer or the previous owner does a hard reset on the camera, the camera will be automatically disassociated from the cloud.
3) In our new latest firmware, we have added additional security measures which require further camera level username and password authentication to add and view a camera on the cloud. This will further prevent this issue from occurring.

We want to assure you that you and every single one of our customers' security, both past and present, is our utmost concern and we take it as our #1 priority. We would be more than happy to answer any other questions or address any concerns. You may contact us directly at amazon@amcrest.com, as you purchased it through Amazon. The email will go directly to us and not Amazon and I promise I will do everything I can to assist you or answer any questions. Thank you for your time and understanding.

Collapse -
Why it still knows your email addr after the reset
by neo1221 / December 28, 2016 2:26 PM PST

Reading the post concerns me, but I am also wondering why the unit still knew the email addr to send the notification emails even after a reset?

Collapse -
Amcrst is Lying about security breach!
by BlueIvy1 / May 16, 2017 3:16 AM PDT

Amcrst is lying! I purchased ALL of my cameras directly from them. I returned one because the card was stuck in it. They said camera could not be repaired and,sent me a new one. They re-sold my broken ca Mera and a few months later I too was getting email messages for the camera I returned. I logged on to the Cloud and could see Live into someone's house! I had full control of the camera! Scary and a total security breach! No I wonder who is watching ME in my house over the internet!!

Collapse -
I've seen my camera move by itself
by majdamage / October 1, 2017 7:46 AM PDT

Is someone spying? I created unique username and PWs.

Popular Forums
icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

The Samsung RF23M8090SG

One of the best French door fridges we've tested

A good-looking fridge with useful features like an auto-filling water pitcher and a temperature-adjustable "FlexZone" drawer. It was a near-flawless performer in our cooling tests.