This post is also available in:
עברית (Hebrew)
Millions of consumers using small, internet-connected surveillance cameras may be unknowingly exposing their homes and networks to serious security risks. A recent analysis reveals that certain widely sold “spy cams” and similar devices—often disguised as everyday objects like alarm clocks, USB chargers, or wall sockets—suffer from deep-rooted vulnerabilities that make them easily accessible to outsiders.
These cameras, often managed through the LookCam app or related platforms such as tcam, CloudWayCam, and AIBoxcam, are inexpensive and widely available online. But according to a detailed technical review by security researcher Wladimir Palant, their software and hardware contain multiple critical flaws that leave no meaningful barrier between private footage and unauthorized access.
One of the core issues lies in the devices’ communication protocols. Most of the data sent to the cloud is transferred without proper encryption. Even when encryption is used, it relies on weak, poorly implemented algorithms with hardcoded keys that can be easily extracted. The devices also lack any proper authentication for their cloud services—meaning that anyone who obtains or guesses the device’s ID can remotely view live footage or access stored recordings.
Network traffic reveals that these cameras send unencrypted data to remote servers, often over basic HTTP. Worse still, there’s no verification of who’s operating the cloud service. This allows attackers—or even internet service providers—to intercept or redirect footage with minimal effort.
Security researchers also found that the devices are unpatchable. Their firmware doesn’t support updates, and the system architecture includes known vulnerabilities such as buffer overflows and disabled password enforcement. These issues open the door to remote code execution and botnet enrollment.
With no effective user controls, no vendor accountability, and no upgrade path, these cameras present an ongoing security threat. Experts strongly advise against using or reselling the devices, noting that removing them from operation is the only responsible course of action.
However, it should be noted that this vulnerability could also be used for good. Spy cameras are sometimes used to film people illegally and without consent. Law enforcement agencies can take advantage of this vulnerability to trace criminals who use spy cameras for nefarious purposes.
