A critical key management error on part of Swann Commumications during the manufacturing stage of two home security cameras caused a major privacy concern after video footage of a family's home was delivered to a third person's app.
The privacy breach came to light when Ms. Louisa Lewis, who is a member of the BBC's staff, received footage of an unknown family's kitchen on her smartphone app. This was the first time since she started using a Swann security camera that she received footage of someone else's home on her app.
"Human error" led to the privacy breach
When contacted by Ms. Lewis, a Swann spokeswoman said that the privacy breach occurred due to "human error" during the manufacturing stage, adding that both cameras were allocated the same "bank-grade security key", resulting in footage being shared with both owners.
"This occurred after the [family] connected the duplicate camera to their network and ignored the warning prompt that notified: 'Camera is already paired to an account' and left the camera running.
"We are regretful that this was not addressed immediately and adequately by our support team, when discovered. We have addressed this and made some internal changes. We can confirm that no further data was breached or accessed by additional third parties," the spokeswoman added.
This was the second such incident involving Swann security cameras in as many months. According to the BBC, a Swann security kit owner mentioned on Twitter in May that he and his wife were receiving footage of a pub on their respective apps.
"One day we were watching our own cameras, the next - when we opened the app up - it was someone else's. One of the cameras looked over the desk of the maitre d' and we thought we recognised a stag logo on the pile of menus. Searching the internet for restaurants with a stag theme became a bit of an obsession for us for a week or more," the owner wrote on Twitter.
Effective key management a must
Commenting on the privacy breach arising out of misconfiguration of two different Swann cameras, Christopher Littlejohns, EMEA manager at Synopsys, said that if effective key management is not put in place by companies that involve the use of unique and “uncrack-able” keys for each device, we will lose the ability to authoritatively identify people and things connected to the internet, or to transfer their secrets in a secure manner.
"In this particular case a human error resulted in a manufacturing fault with at least two security cameras having the same key causing both cameras to be identified as the same item. The net result was that images, sound and videos were sent from one camera to the wrong user on their mobile phone.
"Whilst the impact of this is mostly on the vendors reputation, the same issue appearing in something like Bitcoin or other high-value item could be catastrophic – huge sums of money could be lost, confidence eroded in a service, or even State Secrets revealed to hostile governments," he said, adding that internet security is only as good as the weakest supply chain link, the generation and allocation of keys being part of that supply chain.
"Issues such as this may cause significant difficulties with government regulations, for example European Union GDPR compliance. Poor key management may be considered negligent when it results in such data privacy issues, and there cannot be many things much more relevant to privacy than sending videos from your own home to the wrong person," he added.
Lack of encryption leaves connected cameras highly vulnerable to cyber-attacks
Hackers post live footage from webcams on Russian website
Britain's surveillance camera network at risk from hackers
IoT-connected CCTV cameras hacked to launch cyber attacks