Misconfigured Swann security cameras result in major privacy breach

Misconfigured Swann security cameras result in major privacy breach

Misconfigured Swann security cameras result in major privacy breach

A critical key management error on part of Swann Commumications during the manufacturing stage of two home security cameras caused a major privacy concern after video footage of a family’s home was delivered to a third person’s app.

The privacy breach came to light when Ms. Louisa Lewis, who is a member of the BBC’s staff, received footage of an unknown family’s kitchen on her smartphone app. This was the first time since she started using a Swann security camera that she received footage of someone else’s home on her app.

“Human error” led to the privacy breach

When contacted by Ms. Lewis, a Swann spokeswoman said that the privacy breach occurred due to “human error” during the manufacturing stage, adding that both cameras were allocated the same “bank-grade security key”, resulting in footage being shared with both owners.

“This occurred after the [family] connected the duplicate camera to their network and ignored the warning prompt that notified: ‘Camera is already paired to an account’ and left the camera running.

“We are regretful that this was not addressed immediately and adequately by our support team, when discovered. We have addressed this and made some internal changes. We can confirm that no further data was breached or accessed by additional third parties,” the spokeswoman added.

This was the second such incident involving Swann security cameras in as many months. According to the BBC, a Swann security kit owner mentioned on Twitter in May that he and his wife were receiving footage of a pub on their respective apps.

“One day we were watching our own cameras, the next – when we opened the app up – it was someone else’s. One of the cameras looked over the desk of the maitre d’ and we thought we recognised a stag logo on the pile of menus. Searching the internet for restaurants with a stag theme became a bit of an obsession for us for a week or more,” the owner wrote on Twitter.

Effective key management a must

Commenting on the privacy breach arising out of misconfiguration of two different Swann cameras, Christopher Littlejohns, EMEA manager at Synopsys, said that if effective key management is not put in place by companies that involve the use of unique and “uncrack-able” keys for each device, we will lose the ability to authoritatively identify people and things connected to the internet, or to transfer their secrets in a secure manner.

“In this particular case a human error resulted in a manufacturing fault with at least two security cameras having the same key causing both cameras to be identified as the same item. The net result was that images, sound and videos were sent from one camera to the wrong user on their mobile phone.

“Whilst the impact of this is mostly on the vendors reputation, the same issue appearing in something like Bitcoin or other high-value item could be catastrophic – huge sums of money could be lost, confidence eroded in a service, or even State Secrets revealed to hostile governments,” he said, adding that internet security is only as good as the weakest supply chain link, the generation and allocation of keys being part of that supply chain.

“Issues such as this may cause significant difficulties with government regulations, for example European Union GDPR compliance. Poor key management may be considered negligent when it results in such data privacy issues, and there cannot be many things much more relevant to privacy than sending videos from your own home to the wrong person,” he added.


Lack of encryption leaves connected cameras highly vulnerable to cyber-attacks

Hackers post live footage from webcams on Russian website

Britain’s surveillance camera network at risk from hackers

IoT-connected CCTV cameras hacked to launch cyber attacks

Copyright Lyonsdown Limited 2021

Top Articles

Australian energy giant CS Energy suffers a ransomware attack

Australian energy company CS Energy suffered a ransomware attack on November 27 that targeted its corporate network.

Misconfiguration of a management user interface (UI) tool leads to exposure of mission-critical data

Kafdrop, a popular open-source Apache Kafka user and management interface had configuration flaws that provided criminals with access to event-streaming platform Apache Kafka used by more than 60 per cent…

ICO serves £500,000 fine to the Cabinet Office for New Year Honours data breach

The ICO has fined the Cabinet Office £500,000 for failing to prevent the leak of postal addresses of over 1,000 people who were among the 2020 New Year Honours recipients.

Related Articles

[s2Member-Login login_redirect=”https://www.teiss.co.uk” /]