This screenshot taken on July 18, 2022 shows the official website of the Consumer Council.

HONG KONG – Home surveillance cameras pose privacy risks from data leaks, with nine out of ten models tested failing European cyber security standards, Hong Kong’s consumer rights watchdog said Wednesday.

In a statement, the Consumer Council said nine out of the 10 models it tested posed various cyber security concerns, including transmission of videos and data without encryption, and failure of defending against “brute-force attacks” by hackers to crack passwords.

“Security of user data storage was found to be inadequate in many apps, with half of the tested models able to access the user files stored in smart devices through Android apps, and some apps even requested excessive permission," the council said.

The Consumer Council urged manufacturers to improve the cyber security of products, such as introducing encryption of video and data

ALSO READ: New cybersecurity threats require better defense mechanisms

It urged manufacturers to improve the cyber security of products, such as introducing encryption of video and data.

Consumers should also set strong passwords for their surveillance cameras and change them regularly, as well as making good use of firewalls and network monitoring functions, the council added.

The watchdog said the 10 models of home surveillance cameras tested were priced between HK$269 ($34) and HK$1,888, all providing two-way audio, motion detection, night vision, Amazon Alexa and Google Assistant voice control.

The council commissioned an independent laboratory to test the cyber security of these 10 models with reference to the European and industry standards on protection against attack, security of data transmission and apps, security of data storage, and hardware design.

ALSO READ: Cybersecurity challenges rise for enterprises

The council said five models transmitted videos or data without encryption, exposing a security flaw for hackers.

“The video data was transmitted without encryption, making it vulnerable to hackers who could easily access the video content. When connecting to the user’s Wi-Fi network, another model adopted the Hypertext Transfer Protocol (HTTP) for data transmission without encrypting the sensitive data, allowing hackers to find the router’s credential in plain text files,” the council said.

The test results also revealed that the security of in-app data storage for all 10 models was inadequate. Sensitive data such as email address, account ID or passwords were stored in plain text files, which were not protected with encryption, and the relevant data would only be deleted after a certain period, exposing a risk for hacking, it added.

The council said some surveillance camera apps also used WebView that allowed users to browse the webpage directly, but the Android app of 5 models did not block the permission of accessing the files, “so hackers could access files stored in devices by injecting script.”

READ MORE: Consumer Council: Carcinogen found in 29 cooking oils

“Moreover, the app of 5 models requested excessive permission, with some accessing quite sensitive data, such as the device’s calendar, account information, and apps being used in real time, which could lead to device data leaks,” it added.