Security and surveillance camera security weaknesses may potentially be exploited by hackers to gain access to the networks to which they log on to. The cameras could also be used to discover for physical security weaknesses or to spy on workers and patients.
Recently it has been clearly shown that there is a need for better security controls to be incorporated into these IoT devices. Hackers have focused on the scant security controls to gain access to cameras (and other IoT devices) and have used them for large scale Distributed Denial of Service (DDoS) attacks.
Many device producers are guilty of failing to incorporate adequate security controls, although not all of the blame can be placed at the door of the manufacturers. IT departments have implemented the devices, yet have failed to amend default passwords. Weak passwords can simply be guessed by hackers, and in many cases, the default passwords are readily available on the Internet.
Poor security controls on any IoT device could lead to it being added to a botnet or used as a Launchpad for other attacks. However, security and surveillance camera security flaws are the most concerning, according to a new report by cloud security expert company Zscaler.
Zscaler recently completed a review of security controls on a number of popular home and enterprise security cameras and identified multiple flaws that could be exploited by hackers.
The Flir FX wireless HD monitoring camera for instance was seen to communicate in plaintext and did not use any authentication tokens. Also, firmware updates were not digitally signed. A hacker could update the devices with custom-crafted firmware and take full management of the cameras. The Foscam IP surveillance camera similarly sent user data in plaintext over http, including passwords. The passwords were even included in the URL.
The flaws were not present in isolated devices, but seemed to be much more of a general problem with a multitude of security cameras and other IoT devices found to have serious flaws.
Security experts at SEC Consult recently discovered two backdoors in more than 80 models of professional surveillance cameras produced by Sony. The devices had hard-coded credentials in a web interface that would allow hackers to remotely turn on the Telnet service on the devices. A hard-coded password was also implemented for the root account that would allow hackers to take full control of the devices via Telnet.
The backdoors were thought to have been implemented by Sony for development purposes rather than being introduced by other parties, although flaws such as these could all too easily be exploited. After being alerted of the flaws, Sony released a firmware upgrade for the devices recently.
SEC Consult said: “An attacker can use cameras to take a foothold in a network and launch further attacks, disrupt camera functionality, send manipulated images/video, add cameras into a Mirai-like botnet, or to just simply spy on you.”
Zscaler has warned groups to take steps to limit access to IoT devices and, as far as is possible, improve security controls to stop the devices from attack. Zscaler recommends blocking external ports and updating default credentials with approved passwords. The devices should also only be linked to isolated networks. If compromised, the damage can therefore be restricted.