HiKam S6 WiFi IP Digicam – High quality at ALDI worth? – AV-TEST Web of Issues Safety Testing Weblog

Mike July 20, 2023

0 0 7 minutes read

IP cameras are nonetheless top-of-the-line promoting devices for the house. Accordingly, the vary of merchandise for this phase continues to be just about countless. It’s due to this fact hardly shocking that giant discounters are always including options to their vary.

The HiKam S6 WLAN IP digital camera is a typical instance of such a product, which on this case is bought in massive portions and at low costs by the low cost big ALDI. The truth that these merchandise are sometimes of a excessive normal by way of function record and high quality is now not a rarity, however whether or not they’re additionally convincing by way of safety is one thing we have now checked in our fast test.

Options

The HiKam S6 truly affords the whole lot {that a} gadget should supply as normal on this class so as to be ready for probably the most different software situations of an IP digital camera. It delivers a 720p HD video stream with infrared night time imaginative and prescient, has 2-way audio communication, ie built-in microphone and loudspeaker in addition to Alexa assist, and in addition affords configurable movement and particular person detection. Communication is carried out by way of WLAN, in order that the digital camera will also be positioned simply and flexibly. The recorded video knowledge can then be saved on the included cloud storage or saved regionally on SD card or NAS. All in all, a well-equipped IP digital camera is obtainable right here, particularly at this worth.

Cell Functions

The cellular functions for the HiKam S6 (Android: com.hikam.professional v5.0.20; iOS: HIInfinity.HiKam-Professional v1.1.1) didn’t reveal any severe issues within the static evaluation, even when right here and there a couple of factors are nonetheless noticeable.

It’s virtually shocking that solely three trackers will be detected which have an entry within the Exodus Privateness Database. The 2 Google trackers (Firebase Analytics and AdMob) are virtually normal these days and, furthermore, don’t reveal any actual weak factors. The third module from Bugly (formally additionally meant for bug reporting) is much less frequent and virtually completely discovered on units of Chinese language origin. Through the operation of the HiKam S6 we might observe comparatively common visitors between the app and the Bugly servers. Nonetheless, solely small quantities of knowledge had been transmitted, unencrypted by way of HTTP, however not in plain textual content.

When analyzing the Android manifest, it’s noticeable that nearly 80 actions (mainly particular person app features which can be often introduced to the person by way of devoted screens; on this case just about your entire app performance) can all be exported, ie they are often requested and executed by different functions, however aren’t protected by corresponding permissions. Often, a developer solely permits this if sure features of an app, equivalent to picture acquisition or processing features, must also be accessible to different apps. The truth that an software does this with virtually all of its performance makes little sense and we have now not seen this anyplace else but. Other than that, this apply additionally brings with it safety issues. Right here the developer ought to positively test if and to what extent that is crucial, helpful and desired.

Other than that, the static evaluation didn’t establish any actual crucial weak factors: The iOS app in some locations makes use of insecure API, which may result in reminiscence issues if used incorrectly. Nonetheless, all necessary safety mechanisms for reminiscence entry (ie ASLR, ARC and SSP) are activated, in order that we will solely converse of a theoretical menace at greatest. As well as, the ATS (App Transport Safety) restrictions aren’t set, which signifies that the app could talk unencrypted by way of HTTP, for instance, and encrypted with out necessities for a minimal TLS model, cipher and so forth. Since some modules, such because the bugly module talked about above, talk by way of HTTP and in addition massive components of the app communication run over the usual unencrypted UDP protocol, this isn’t shocking and by itself not crucial.

Native and on-line communication

Nonetheless, for the communication within the native community and by way of the Web, we seen some issues throughout the take a look at that shouldn’t be underestimated of their severity.

Within the native community, ie when the smartphone with the working software and digital camera are in the identical community, the communication is sort of utterly unencrypted. Though native entry is protected by authentication on the digital camera facet, the login title is ready to “admin” and the password is transmitted unencrypted, as the next community recording exhibits.

lokal login — Excerpt from community recording displaying native login

The precise video stream then runs by way of the usual unencrypted UDP protocol, however the payload, ie the precise video knowledge, seems to be moreover encrypted. Nonetheless, with native entry to the digital camera, the attacker has already gained at this level anyway as a consequence of inadequate authentication. As well as, there are extra weaknesses of the native net server on the digital camera, however these are literally of no consequence, since they’re more durable to use than an assault on the insecure authentication itself.

Relying on the appliance situation, it could be doable to condone unsecured native communication (however certification in keeping with our normal wouldn’t be doable underneath any circumstances), but when communication by way of the Web additionally has extra severe weaknesses, the entire thing certainly turns into crucial.

Let’s begin on the constructive facet first: Over the Web, the precise video stream appears to be by way of UDP as properly, however with moreover encrypted payload. However, to go on to the detrimental, the authentication and the dealing with of the account login info can’t be thought of safe as properly too.

For instance, the password for native digital camera entry can also be transmitted on-line in plain textual content (see following picture). However since that is actually just for native entry, you possibly can virtually ignore it at this level. However it’s not an precisely elegant answer, to say the least.

online pw change — Digicam password transmitted in plain textual content

When you take a look at the account login, the whole lot seems to be advantageous at first look – an encrypted connection (TLS in model 1.2) is established and the information is transferred with sufficient safety. However if you happen to take a better take a look at the community recording of the method, you’ll discover that there’s additionally communication accomplished by way of UDP (which is used for different functions apart from the precise video transmission). This manner the account title (e-mail handle) and the password are additionally transmitted, eg when altering the account password as proven within the following picture. As one can see, the account title is transmitted in plain textual content, the corresponding password as MD5 hash.

pw change account — Community recording password change (“Test12345” modified to “Test54321”)

If the password is sufficiently lengthy, distinctive and sophisticated (over 12 characters, decrease/higher case, numbers, particular characters), this shouldn’t be an issue in itself. In actuality, weak passwords (the app solely requires a minimal of 6 characters) are extra frequent than sturdy passwords, after which utilizing outdated and now not sufficiently safe hashing algorithms, like MD5, together with unencrypted transmission turns into an issue. As well as, there may be additionally a scarcity of brute power safety for the login course of, so an attacker has a probably infinite variety of guessing makes an attempt with out being hindered.

Through the evaluation inside the scope of our fast test, we additionally seen additional plain textual content transmissions of varied URLs, tokens and keys, which we have now not but additional checked within the restricted time-frame. Nonetheless, we’re comparatively certain that we might encounter extra issues if we solely dig deep sufficient.

Information safety and privateness

On this space, however, the HiKam answer left a fairly constructive impression on our testers: The privateness coverage (as of 20.05.2018) of the Hikam Professional App offers very complete, detailed and clear info on all necessary matters equivalent to knowledge assortment, processing and storage. Accordingly, these are realized by Excessive Infinity Expertise GmbH, Germany, which shops and processes all knowledge inside the European Financial Space.

Virtually normal is the formulation to current oneself solely as a contract processor for video and audio recordings for the client, in keeping with which the client alone is accountable for informing all individuals filmed by the digital camera in regards to the knowledge processing. Appears like shifting accountability to the client, however underneath present regulation it’s tough for producers to seek out one other answer. All different (meta-)knowledge collected is processed by the supplier because the entity accountable. Though the recorded video knowledge itself could also be saved by different service suppliers in keeping with the privateness coverage, however at all times encrypted. The best to make use of moreover recorded knowledge, eg on person habits and app utilization, for product and repair enchancment can also be assured, but additionally moderately normal these days.

Verdict

The HiKam S6 affords a completely strong package deal by way of options for the estimated worth: the function record is lengthy, the configuration choices are in depth and operation is uncomplicated. From a safety standpoint, nevertheless, too many smaller and above all bigger weak factors are too apparent within the take a look at for us to have the ability to make a suggestion. The issues particularly within the space of communication price the digital camera too many factors for a very good ranking. The truth that it doesn’t afford to have any severe weak factors within the space of software safety and that the subject of knowledge safety is clearly taken pretty severely, barely saves it one star out of three doable.