Why you shouldn’t throw away your broken IP camera

Despite numerous reports about the vulnerabilities of internet protocol (IP) cameras, they continue being entry points for malicious actors. Recent research by an information assurance firm NCC group revealed that there are many security and privacy issues, including default credentials stickered across packaging and the device itself, as well as weak encryption.

The IP Camera Market size was valued at over $8 billion in 2018. According to the Global market insights, the global industry shipments are expected to exceed 100 million units by 2025.

As individuals and companies continue to install IP cameras for protection, devices continue to carry old vulnerabilities. CyberNews talked to security consultant Dale Pavey about whether we should just turn off our IP cameras.

“With so many of these cameras being easily accessible and searchable on the Internet, it’s trivial for attackers to find their targets,” Dale Pavey said.

Researchers have repeatedly warned about the vulnerabilities of the IP cameras. Yet, as cheap devices continue to flood the market, not much seems to be changing in terms of security.

What vulnerabilities did you find in these IP cameras? How can cybercriminals exploit them? Can they hack into my other devices through an IP camera?

We have found a wide range of information from wifi credentials for a user’s home network, access to the backend server-storing consumer’s information, old vulnerabilities such as Heartbleed, and even physical such as default credentials stuck to the camera via a label.

If an IP camera does stop working, the consumer would most likely throw it away, thinking it is safe to do so. If this was recovered, and a forensic method of extracting the information store on the device was performed, the attacker would be able to grab the wifi data and have the ability to connect to the consumer’s home network without them knowing,

Dale Pavey said.

These issues enable a cybercriminal to perform more actions that are sinister against not only the consumer but also the company hosting the information for the device. If you take the home wifi information as an example. When a consumer has a wifi router set up, they will rarely change the password that this comes with. 

If an IP camera does stop working, the consumer would most likely throw it away, thinking it is safe to do so. If this was recovered, and a forensic method of extracting the information store on the device was performed, the attacker would be able to grab the wifi data and have the ability to connect to the consumer’s home network without them knowing. This exposes all devices that are connected to that network. This could lead to a remote method to connect back to the consumer’s network or even worst-case scenario financial loss if the portable devices are not secured.

How often do cybercriminals trick these IP cameras, are there any statistics to back that up?

We’ve seen real-world mass-scale attacks against poorly-secured IoT devices, which includes many IP cameras, through examples such as the Mirai botnet. In 2016, this was an automated attack that gained unauthorized access to over 600,000 vulnerable devices and cameras around the world by exploiting vulnerabilities in them, such as default passwords and other technical vulnerabilities.

We also see from the shodan.io search engine that just searching for the term “IP Camera” returns over 85,000 potentially unsecured and exposed IP cameras around the world. With so many of these cameras being easily accessible and searchable on the Internet, it’s trivial for attackers to find their targets.

How can users secure their IP cameras so that criminals couldn't hack into them?

The best thing a consumer can do is to have a separate wifi network from their main home network, which is only for IoT devices. Implementing a method of MAC address whitelisting will also ensure only known devices can connect to the network. Implementing this type of security will ensure that if a device is exposed or if a leak of wifi information occurs, the only exposed network is separated from further potential targets. This type of method is called defense in depth.

Change the default passwords when you receive the device. This will ensure that easy access to the device, if it was discovered, cannot be obtained through a basic brute-force attack. 

Ensure the default settings do not expose the device. This includes changing username/password, enabling authorized RTSP access only, and disabling any FTP/Telnet services.

Removal of any stickers on the device that state any passwords, usernames, or even a random assortment of values indicating a UID that is attached to the device.

Always ensure that the devices are up-to-date with the latest firmware. If the devices require interaction to perform an update, develop a routine, or set a calendar event that involves performing this action. One point to note, if the device has stopped receiving updates, it might be time to move onto a newer model or vendor.

Depending on where the digital assistant is placed in a home, an attacker may be able to shout an open door command through the letterbox, which makes the digital assistant trigger the door lock open mechanism,

Dale Pavey said.

Have you looked into other IoT devices? 

We routinely test a myriad of IoT devices, from consumer to enterprise IoT. Last Christmas, we completed some work for the Which? consumer magazine in the UK on a range of children’s smart toys. Our research identified a range of concerns around the handling of data that belonged to children and a range of vulnerabilities that, if exploited, could severely impact the privacy and safety of children. 

What new risks arise when a lot of our home appliances are interconnected?

Each time a new IoT device is connected to our homes, the potential attack surface increases. In addition, the potential for what we call second-order attacks increases – this is where one IoT device might be attacked via another. A potential realistic example scenario here could be a voice-activated digital personal assistant, configured to open a smart lock on a door through a voice command. Depending on where the digital assistant is placed in a home, an attacker may be able to shout an open door command through the letterbox, which makes the digital assistant trigger the door lock open mechanism. We should pay particular care when deploying home IoT devices that have technology that could impact on privacy (e.g. cameras and microphones), and IoT devices that have some sort of physical control within the environment, such as turning things on/off, opening doors, or operating some sort of appliance.