Swann home security camera sends video to wrong user

• Louise Lewis shocked to receive images from another family’s kitchen on app
• Her Swann Security camera was sending her clips taken on another device
• Swann initially claimed it was a factory error but later said it was a human error
• Comes month after man from Leicestershire received clips from another device

A security camera owner was shocked to receive images from inside another family’s home – just a month after a different user was mistakenly sent someone else’s footage.

When BBC employee Louisa Lewis received a notification on her security camera app she discovered that instead of showing the interior of her home she was looking at a kitchen she didn’t recognise – with people she did not know wandering around in it.

The Swann Security camera, which has models starting at £74.99, is meant to send video clips live to the user’s mobile phone when any sort of motion is detected in their home.

The leading security camera-maker, which is based in the US, initially blamed a factory error for the data breach and said it was a ‘one-off’ incident.

But the BBC reports that only last month another customer reported a similar problem when his app received footage from a nearby pub’s CCTV system.

Ms Lewis first began receiving motion-triggered video clips from the unknown family’s kitchen on Saturday.

She said: ‘I was out and I had a couple of alerts. Naturally, I looked at my phone only to see the video was not of my home.

At first I ignored it – I thought it must be an error – then I had several other alerts, at which point I thought I had better get in touch with Swann.’

She added that the images showed a man and a woman in their kitchen. At one point a child’s voice could be heard.

Stephen Gailey, solutions architect at Exabeam and former head of security for Barclays, said: ‘This is sensitive personal data. There is the risk, for example, that pictures of children could have been sent out to the wrong users.

‘Unless the organisation has good data monitoring, they may never know for certain.’

After the  BBC raised the incident with their press office, a Swann spokesman said that ‘human error’ had caused two cameras to be manufactured that shared the same ‘bank-grade security key – which secures all communications with its owner’.

She added that Swann had not managed to identify the family involved.

Tim Lane, from Leicestershire, began a Twitter hunt last month to identify a pub after he and his wife began receiving images from its CCTV system.

Mr Lane said: ‘One day we were watching our own cameras, the next – when we opened the app up – it was someone else’s.’

He wrote on Twitter: ‘Can @swannsecurity please tell me why both our smart devices can reliably access the CCTV cameras from a pub. Moreover, who’s viewing our cameras? Anyone recognise the pub?’

Mr Lane was surprised to discover it was only a few miles away and he later visited the pub, The Bradgate, to warn its staff.

He again took to Twitter after the meeting and said: ‘Great to meet the manager @newtownlinford and share our concerns that @swannsecurity remote access CCTV system is giving us images from his cameras in place of our own. Bizarre to be able to take a selfie using someone else’s CCTV camera.’

The Information Commissioner’s Office confirmed that the company referred Ms Lewis’ incident on to them. A spokesman said: ‘Swann Communications (Europe) have made us aware of this incident and we will be making inquiries.

‘If anyone has concerns about how their data has been handled, they can report these concerns to us.’

Security expert Mr Gailey added: ‘Modern software development techniques are a rich source of future security bugs. Programmers nowadays are no longer scientists they are fitters – assembling third party libraries, components and tools to create a desired application.

‘They are doing this without a clear understanding of any of the underlying principles of how these libraries work at a fundamental level.

‘Any failure in one of these software components, any lack of understanding in how to assemble them – or even in how they interact with the rest of the Internet – is likely to lead to a significant future vulnerability. As in this case, even a simple operational error could leak users data.

‘The Internet of Things – or IoT – is exploding in popularity. As people continue to connect their household devices to the Internet, you can expect to see more of this sort of privacy breach, particularly as organisations lacking the skills or experience to build such products leap onto the IoT bandwagon.’

Christopher Littlejohns, EMEA manager at Synopsys technology, said: ‘In this particular case a human error resulted in a manufacturing fault with at least two security cameras having the same key causing both cameras to be identified as the same item.

‘The net result was that images, sound and videos were sent from one camera to the wrong user on their mobile phone.

‘While the impact of this is mostly on the vendors reputation, the same issue appearing in something like Bitcoin or other high-value item could be catastrophic.

‘Issues such as this may cause significant difficulties with government regulations, for example European Union GDPR compliance. Poor key management may be considered negligent when it results in such data privacy issues, and there cannot be many things much more relevant to privacy than sending videos from your own home to the wrong person.’

Adam Brown, manager of security solutions at Synopsys, added: ‘I personally have experience with Swann cameras – I used to have one, albeit different from the one in the report.

‘I found that the camera feed itself could be accessed directly from the network the camera was on, and there was some access control over that video feed – a hardcoded password as I remember – this is bad practice.

‘If that camera was placed directly on the internet (not behind a firewall) then prying eyes could potentially see what my camera could see.

‘Obvious lax security controls indicate systemic failings. Without speculating on the technicalities of what went wrong here, I would surmise that the software security initiative at Swann is either lacking or could benefit from some deliberate improvement driven from management.’