Home Security Camera Sends Video To Wrong User

An anonymous reader quotes a report from the BBC: A leading security camera-maker has sent footage from inside a family's home to the wrong person's app. Swann Security has blamed a factory error for the data breach -- which was brought to its attention by the BBC -- and said it was a "one-off" incident. The BBC first learned of the problem on Saturday, when a member of its staff began receiving motion-triggered video clips from an unknown family's kitchen. Until that point, Louisa Lewis had only received footage from her own Swann security camera, which she had been using since December. The development coincided with Ms Lewis's camera running out of battery power and requiring a recharge. A Swann spokeswoman said that "human error" had caused two cameras to be manufactured that shared the same "bank-grade security key -- which secures all communications with its owner." "This occurred after the [family] connected the duplicate camera to their network and ignored the warning prompt that notified: 'Camera is already paired to an account' and left the camera running," she added.

Camera already paired

Warning messages like this are entirely useless. If someone gets a message 'Camera is already paired to an account', they'll get annoyed and click through it. It doesn't tell them what the problem really is, it doesn't warn them of the consequences, and it's just plain in the way of them finishing the onerous task of registering their devices to get basic functionality.

A better message might have warned them, 'this camera appears to be already registered to another account, possibly because it was resold. If you continue, the camera's previous owner will be able to view this camera in your home'. Even better, it could instruct them to contact tech support to switch ownership of this camera. Better yet, do away with the annoying useless popup message and just deregister the old account's ownership.

They say it's a one-off factory error, but they still should have been able to foresee a camera being bought by one user and later sold to another user. Dealing with that problem would have made the one-off factory error a nonissue. Yes it would have deregistered the old camera, but at least that's something that can be handled through support rather than by sending video to the wrong account.

Re:Bank-grade security key?

[swillden]

Yeah, right.

Meh.

All this means is that they're using standard crypto -- and if it's really "bank grade" then it could be a little behind the times. Banks still use 3DES all over the place. That's not a security problem, exactly, but they really need to update.

I'm surprised they didn't use the more common "military-grade security" phrase. It's not one whit more meaningful than "bank-grade security", other than it probably indicates use of AES, perhaps AES-256, given the NSA's apparent concern about quantum computing.

I guess both phrases can be taken to indicate "We aren't complete idiots who roll our own ciphers" though it definitely leaves the door wide open for "(but we are stupid enough to roll our own protocols and implementations)". No way to know on the latter point without looking at the details.