• About Us
  • Contact
  • Careers
  • Send Us a Tip
Menu
  • About Us
  • Contact
  • Careers
  • Send Us a Tip
CyberNews logo
Newsletter
  • Home
  • News
  • Editorial
  • Security
  • Privacy
  • Resources
Menu
  • Home
  • News
  • Editorial
  • Security
  • Privacy
  • Resources
CyberNews logo

Home » Security » Why you shouldn’t throw away your broken IP camera

Why you shouldn’t throw away your broken IP camera

by Jurgita Lapienytė
3 September 2020
in Security
0
A plant, IP camera, a teddy bear, and a toy car

Why you shouldn't throw away your broken IP camera

94
SHARES

Despite numerous reports about the vulnerabilities of internet protocol (IP) cameras, they continue being entry points for malicious actors. Recent research by an information assurance firm NCC group revealed that there are many security and privacy issues, including default credentials stickered across packaging and the device itself, as well as weak encryption.

The IP Camera Market size was valued at over $8 billion in 2018. According to the Global market insights, the global industry shipments are expected to exceed 100 million units by 2025.

As individuals and companies continue to install IP cameras for protection, devices continue to carry old vulnerabilities. CyberNews talked to security consultant Dale Pavey about whether we should just turn off our IP cameras.

“With so many of these cameras being easily accessible and searchable on the Internet, it’s trivial for attackers to find their targets,” Dale Pavey said.

Researchers have repeatedly warned about the vulnerabilities of the IP cameras. Yet, as cheap devices continue to flood the market, not much seems to be changing in terms of security.

What vulnerabilities did you find in these IP cameras? How can cybercriminals exploit them? Can they hack into my other devices through an IP camera?

We have found a wide range of information from wifi credentials for a user’s home network, access to the backend server-storing consumer’s information, old vulnerabilities such as Heartbleed, and even physical such as default credentials stuck to the camera via a label.

If an IP camera does stop working, the consumer would most likely throw it away, thinking it is safe to do so. If this was recovered, and a forensic method of extracting the information store on the device was performed, the attacker would be able to grab the wifi data and have the ability to connect to the consumer’s home network without them knowing,

Dale Pavey said.

These issues enable a cybercriminal to perform more actions that are sinister against not only the consumer but also the company hosting the information for the device. If you take the home wifi information as an example. When a consumer has a wifi router set up, they will rarely change the password that this comes with. 

If an IP camera does stop working, the consumer would most likely throw it away, thinking it is safe to do so. If this was recovered, and a forensic method of extracting the information store on the device was performed, the attacker would be able to grab the wifi data and have the ability to connect to the consumer’s home network without them knowing. This exposes all devices that are connected to that network. This could lead to a remote method to connect back to the consumer’s network or even worst-case scenario financial loss if the portable devices are not secured.

How often do cybercriminals trick these IP cameras, are there any statistics to back that up?

We’ve seen real-world mass-scale attacks against poorly-secured IoT devices, which includes many IP cameras, through examples such as the Mirai botnet. In 2016, this was an automated attack that gained unauthorized access to over 600,000 vulnerable devices and cameras around the world by exploiting vulnerabilities in them, such as default passwords and other technical vulnerabilities.

We also see from the shodan.io search engine that just searching for the term “IP Camera” returns over 85,000 potentially unsecured and exposed IP cameras around the world. With so many of these cameras being easily accessible and searchable on the Internet, it’s trivial for attackers to find their targets.

How can users secure their IP cameras so that criminals couldn’t hack into them?

The best thing a consumer can do is to have a separate wifi network from their main home network, which is only for IoT devices. Implementing a method of MAC address whitelisting will also ensure only known devices can connect to the network. Implementing this type of security will ensure that if a device is exposed or if a leak of wifi information occurs, the only exposed network is separated from further potential targets. This type of method is called defense in depth.

Change the default passwords when you receive the device. This will ensure that easy access to the device, if it was discovered, cannot be obtained through a basic brute-force attack. 

Ensure the default settings do not expose the device. This includes changing username/password, enabling authorized RTSP access only, and disabling any FTP/Telnet services.

Removal of any stickers on the device that state any passwords, usernames, or even a random assortment of values indicating a UID that is attached to the device.

Always ensure that the devices are up-to-date with the latest firmware. If the devices require interaction to perform an update, develop a routine, or set a calendar event that involves performing this action. One point to note, if the device has stopped receiving updates, it might be time to move onto a newer model or vendor.

Depending on where the digital assistant is placed in a home, an attacker may be able to shout an open door command through the letterbox, which makes the digital assistant trigger the door lock open mechanism,

Dale Pavey said.

Have you looked into other IoT devices? 

We routinely test a myriad of IoT devices, from consumer to enterprise IoT. Last Christmas, we completed some work for the Which? consumer magazine in the UK on a range of children’s smart toys. Our research identified a range of concerns around the handling of data that belonged to children and a range of vulnerabilities that, if exploited, could severely impact the privacy and safety of children. 

What new risks arise when a lot of our home appliances are interconnected?

Each time a new IoT device is connected to our homes, the potential attack surface increases. In addition, the potential for what we call second-order attacks increases – this is where one IoT device might be attacked via another. A potential realistic example scenario here could be a voice-activated digital personal assistant, configured to open a smart lock on a door through a voice command. Depending on where the digital assistant is placed in a home, an attacker may be able to shout an open door command through the letterbox, which makes the digital assistant trigger the door lock open mechanism. We should pay particular care when deploying home IoT devices that have technology that could impact on privacy (e.g. cameras and microphones), and IoT devices that have some sort of physical control within the environment, such as turning things on/off, opening doors, or operating some sort of appliance.

Share94TweetShareShare

Related Posts

Nohow International leaks sensitive worker data

12,000+ workers’ IDs, banking details, and other personal data leaked by UK staffing agency

19 January 2021
Telegram app on mobile

Watch out: there’s a new Telegram scam about

15 January 2021
Email icon on laptop screen

How phishing attacks are evolving and why you should care

14 January 2021
Ransom message on laptop screen

Why ransomware attacks will explode in 2021

12 January 2021
Next Post
personal records questionnaire

Online marketing company exposes 38+ million US citizen records

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

I agree to the Terms & Conditions and Privacy Policy.

Popular News

  • 70TB of Parler users’ messages, videos, and posts leaked by security researchers

    70TB of Parler users’ messages, videos, and posts leaked by security researchers

    82912 shares
    Share 82901 Tweet 0
  • ProtonMail review: have we found the most secure email provider in 2021?

    61 shares
    Share 61 Tweet 0
  • Bitwarden Review

    0 shares
    Share 0 Tweet 0
  • The ultimate guide to safe and anonymous online payment methods in 2021

    13 shares
    Share 13 Tweet 0
  • Custom mechanical keyboards – 17 coolest ones we’ve ever seen

    442 shares
    Share 441 Tweet 0
Facebook says some users facing issues with Messenger, Instagram

Factbox: How Facebook, Twitter, and others are girding for inauguration threats

20 January 2021
Uploading on mobile screen and Data Protection on desktop screen

Privacy and data protection trends in 2021

20 January 2021
valve logo

EU hits game distributor Valve, five others with 7.8 million euro fine

20 January 2021
google logo

Trump pardons former Google self-driving car engineer Levandowski

20 January 2021
Malwarebytes hacked by state actors behind SolarWinds attack

Malwarebytes hacked by state actors behind SolarWinds attack

20 January 2021
Edvardas Šileris

Head of Europol’s European Cybercrime Centre: there are no systems that cannot be breached

20 January 2021
Newsletter

Subscribe for security tips and CyberNews updates.

Email address is required. Provided email address is not valid. You have been successfully subscribed to our newsletter!
Categories
  • News
  • Editorial
  • Security
  • Privacy
  • Resources
  • VPNs
  • Password Managers
  • Secure Email Providers
  • Antivirus Software Reviews
Tools
  • Personal data leak checker
  • Strong password generator
About Us

We aim to provide you with the latest tech news, product reviews, and analysis that should guide you through the ever-expanding land of technology.

Careers

We are hiring.

  • About Us
  • Contact
  • Send Us a Tip
  • Privacy Policy
  • Terms & Conditions
  • Vulnerability Disclosure

© 2021 CyberNews

This website uses cookies. By continuing to use this website you are giving consent to cookies being used. Visit our Privacy Policy.

Home

News

Editorial

Security

Privacy

Resources

  • In the News
  • Contact
  • Careers
  • Send Us a Tip

© 2020 CyberNews – Latest tech news, product reviews, and analyses.

Subscribe for Security Tips and CyberNews Updates
Email address is required. Provided email address is not valid. You have been successfully subscribed to our newsletter!