Consumer Reports has no financial relationship with advertisers on this site.
Test engineers at Consumer Reports recently discovered multiple security vulnerabilities in two home security cameras: the Wyze Cam V2 and Guardzilla GZ360. These lapses could give hackers access to information that may compromise a user’s account or home network.
CR determined that the risks of the cameras being hacked were relatively low, so if you own either one of them, there's no need for immediate concern, says Robert Richter, who leads security and privacy testing for Consumer Reports. “While these vulnerabilities could be exploited, they wouldn't be easy or practical to use en masse,” he says.
In the interest of getting the vulnerabilities fixed and reducing the threat to consumers, CR alerted Wyze and Guardzilla to our findings. Wyze has fixed the vulnerabilities through an update to its Android app. And while Guardzilla has fixed one issue, it is still working to fix another vulnerability we discovered.
“Security in the Internet of Things can be a mess,” says Justin Brookman, director of consumer privacy and technology policy for CR. “There aren't clear norms around product support, and many products are released with vulnerabilities that may never get fixed. Security is especially a concern around cameras that might be collecting very sensitive and personal data that people wouldn't want to be shared with the rest of the world.”
These security camera tests were conducted by CR’s new Digital Lab, which was established to evaluate digital products and services to protect consumers’ privacy and security. Last year our tests found vulnerabilities in a D-Link security camera that could allow strangers to view video footage in some circumstances.
D-Link promised to fix the problem last fall when CR brought it to the company's attention, but at the time this article was published, the issue persisted. We reached out to D-Link for comment, and it said it believed it had addressed the issue. Our experts disagree, and we are in ongoing communication with the company regarding this concern.
How We Test Security Cameras
In addition to our rigorous testing for performance—including assessing a model’s video quality, the response time of motion alerts, and smart features—we assess more than 70 different indicators to rate models for privacy and security. Our test methodology is based on The Digital Standard, an open-source set of criteria for evaluating digital products and services.
For data privacy, our team conducts a document review, reading hundreds of pages of privacy policies, terms of service agreements, and company FAQs. We look for information on how manufacturers collect personal data, what they do with it, and whether or not you have the ability to delete it. For data security, we use network analysis and vulnerability analysis tools to see if cameras and their video feeds are protected by encryption and equipped to resist attacks.
In addition to the Wyze and Guardzilla cameras, we test models made by companies including Canary, Honeywell Home, Logitech, Ring, and TP-Link. You can see how all 14 models performed in our complete wireless security camera ratings.
Highlights From Our Tests
While we did discover security vulnerabilities in the Wyze and Guardzilla cameras, both have a number of other features that help them earn decent, and even fairly high, security scores in our tests. The Guardzilla camera earns Good ratings for data privacy and security, and the Wyze camera rates Very Good for both.
The lowest-scoring camera for data privacy in our tests is from Logitech; it receives only a Fair rating (although it rates Very Good for data security). One camera from Arlo receives an Excellent rating for data security (and a Very Good rating for data privacy). The best cameras in our privacy and security tests are from Google Nest; they receive Excellent ratings for both data privacy and data security.
Wyze’s security issues. We found two problems in the Wyze Cam V2 camera related to weak encryption and leakage of sensitive data, including users’ email addresses, passwords, WiFi network names, and WiFi passwords. Both have been corrected.
“The issues reported to us by Consumer Reports were prioritized and addressed by our team with fixes released to our users,” says Scott Wilson, Wyze’s director of marketing. He adds that the company will continue to provide app and firmware updates as security improvements are made.
If you own the Wyze Cam V2, our experts encourage you to download the latest version of the Wyze Android app—to ensure that you are running the most secure version—and stay on top of software updates for the most protection.
The Wyze Cam V2 receives Very Good ratings for data privacy and security because Wyze actually does a lot of things well, such as offering the ability to store video locally on an SD card and using encryption. The company also discloses what information it collects.
“It’s not possible to ensure that your software and hardware are completely free of vulnerabilities,” Richter explains. “Of course, it’s best for companies to do everything they can to avoid vulnerabilities in the first place, but responding quickly when vulnerabilities inevitably arise is also the kind of best practice CR is looking for.”
In terms of performance, the Wyze Cam V2 offers superb video quality and fast response time. The $20 camera does so well in our tests that it earns a CR Best Buy recommendation.
Guardzilla’s security issues. The Guardzilla GZ360 also had two security issues in our tests. One of these could allow a hacker to add additional emails to an account for the camera in the Guardzilla Android app without notifying the primary user. Although the company denied this vulnerability existed when we first notified it, CR can confirm that the issue has since been fixed and that there is nothing you need to do in regard to this issue if you own a Guardzilla camera.
Guardzilla has acknowledged the second problem but has yet to resolve it. To avoid jeopardizing the security of current Guardzilla GZ360 owners, we are not disclosing the remaining security issue at this time. But Guardzilla has assured us that it’s working to fix it by the end of the year.
“With hardware safety issues, such as a broken blade on a blender, we would publish a description of the problem,” says Maria Rerecich, senior director of product testing for Consumer Reports. “But with connected products, we need to handle privacy and security vulnerabilities differently. Publishing details about the issue before it’s fixed could result in a hacker exploiting the vulnerability to put consumers at risk.”
CR will continue to monitor the situation. Meanwhile, Guardzilla CEO Greg Siwak says, “Our engineering team is focused on continuously enhancing the security and functionality of our products."
Overall, the Guardzilla GZ360 receives Good ratings for data privacy and data security. Among its shortcomings are the inability to remotely disable recordings and poor password protections. The Guardzilla camera didn’t do so great in our performance tests, either: It came in at the bottom of the pack. So you may want to choose another option from our security camera ratings.
Logitech is worst for data privacy. Our Digital Lab testers did not find any clear security issues with the Logitech Circle 2 security camera, and it receives a Very Good rating for data security.
Arlo stands out for data security. The Arlo Pro 2 earns an Excellent rating for data security and a Very Good rating for data privacy. In our latest tests, it beat out most of the competition in data security due to a number of security improvements from last year's tests. These include automatic software updates, requiring users to create secure passwords, and giving users two-factor authentication to securely log in to their accounts.
The Arlo Pro 2 security camera ranks high for performance as well. It offers superb video quality and an array of smart features, such as voice control and advanced alerts for packages, vehicles, and animals. (Those alerts require a monthly fee.)
Google Nest stands out for both data privacy and data security. The Google Nest Cam Indoor and Google Nest Cam IQ Indoor both receive strong scores in our performance tests for video quality and response time, as well as Excellent ratings for data privacy and data security. For privacy, Google Nest outlines the data it collects, claims to delete your outdated data, and allows you to delete your video clips and data. While the company will use your data for advertising, it does give you the ability to opt-out.
On the security front, Google Nest encrypts all data sent to and from their cameras, offers a multifactor authentication system for logging in to your account, and provides regular security updates. When we tested these two cameras last year, Nest was still treated as a separate brand from Google, but Google has since fully integrated Nest devices, resulting in improved data privacy and security ratings for these cameras. The corporate reshuffling gave the cameras updated, more detailed policies, which helped lift their scores.
Still, despite Google’s high ratings in CR’s privacy tests, there’s no denying that the company regularly collects a tremendous amount of data from its users.
“It’s important to remember that CR is just rating this one Google product, and this is not a comprehensive assessment of all of Google's privacy practices, many of which we want them to change,” says Brookman. “For this product, Google was willing to make more commitments about what happens to your data than some other companies, and that earned them a solid score.”
Google isn’t the only company making secure cameras. To see other high-performing cameras, check out our guide to the best wireless security cameras, or go to our complete wireless security camera ratings. If you want to learn more about CR’s ongoing efforts to protect consumers’ privacy, see our new Digital Lab.
Consumer Reports is an independent, nonprofit organization that works side by side with consumers to create a fairer, safer, and healthier world. CR does not endorse products or services, and does not accept advertising. Copyright © 2019, Consumer Reports, Inc.