Recently, our research team looked at the security of app companion accounts belonging to ten IP cameras. Each of these cameras has been listed in Amazon’s “Hot New Releases” and “Best Selling” categories.

Avast IoT researcher Marko Zbirka investigated whether the apps that come with smart cameras include a two-factor authentication option, send the owner a notification that someone has attempted or successfully signed in from a new device, especially if the connection attempts were from one device appearing to be to the other end of the world, and if the duration of the password account has been restricted.

The 10 different IP cameras, all with cloud functionality, are as follows:

  • Blink
  • Wyze
  • YI IOT
  • YI House
  • Wansview Cloud
  • MIPC
  • Jawa
  • CloudEdge
  • Amcrest Cloud
  • iCSee

The apps accompanying these cameras have all been downloaded 50,000 times or more, and four of the ten have been downloaded over a million times.

Account security verification

Our team researcher downloaded the apps used to connect and control the cameras and created accounts for them. After logging in successfully, he checked an option to change account password and configure two-factor authentication for accounts. He then used a second phone with a VPN application connect to a server abroad, so that the communication from the second device goes through that server and everything sent from the device therefore appears to come from a device located abroad.

“I intentionally attempted to log into my own account using the wrong passwords more than 10 times to see if any brute force attempts would be detected by the apps. After that I used the correct login credentials to log in to see if I had received a notification about a new login from a different device and location, ”said Marko Zbirka, researcher in IoT at Avast. “Following that, I checked to see if the traffic between the app and the manufacturer’s server was encrypted. Of the ten apps I reviewed, only two had what I would consider an acceptable level of account security measures.

The two apps that offered the best basic account security out of the ten, according to Zbirka, were Blink and Wyze. The Blink app requires users to enter a one-time password to add a new device, a one-time password to change the account password, and notifies users of brute force attempts or when a connection is made using a new device.

Wyze offers two-factor authentication, although it is not set by default. The app gives users the choice of sending the passcode via SMS or authenticator app, which eliminates the risk of anyone accessing it if the email account linked to the account is compromised. Wyze also notifies the user – not the account user, but the user trying to log in if too many connection attempts have been made.

“I was hoping all apps would have some sort of two-factor authentication preferably through an authenticator app, no maximum set for password length some apps have limited password length to 16 characters and notifications informing the user of connections from new devices or unknown locations, ”Zbirka explains.

According to Zbirka, the MIPC app offered the least favorable account security because it does not provide any brute force protection or notification. The password reset procedure is transmitted over HTTP, which means it is not encrypted.

Things to consider when choosing an IP camera

When considering purchasing a cloud-connected IP camera to use at home or in the office, Zbirka notes that it is important not only to check how often the device receives software updates, but also to do so. pay attention to the security level of the accompanying application account. provides. Ideally, an application should use the following security measures:

  • Offer two-factor authentication, preferably through an authenticator app
  • Do not have a maximum value set for password length (some applications have limited password length to 16 or 32 characters)
  • Send push notifications informing users of connections from new devices or locations

Discover the full analysis of our team’s research on Decoded avast.