https://www.iotworldtoday.com/wp-content/themes/ioti_child/assets/images/logo/footer-logo.png
  • Home
  • News
    • Back
    • IoT World 2020 News
  • Strategy
  • Special Reports
  • Galleries
  • Business Resources
    • Back
    • Webinars
    • White Papers
    • Industry Perspectives
    • Featured Vendors
  • Other Content
    • Back
    • IoT World 2020 News
    • Q&As
    • Case Studies
    • Features
    • How-to
    • Opinion
    • Video / Podcasts
  • More
    • Back
    • About Us
    • Contact
    • Advertise
    • Strategic Partners
  • IOT World Events
    • Back
    • Internet of Things World: San Jose
    • IoT World 2020 News
Iot World Today
  • NEWSLETTER
  • Home
  • News
    • Back
    • IoT World 2020 News
  • Strategy
  • Special Reports
  • Galleries
  • Business Resources
    • Back
    • Webinars
    • White Papers
    • Industry Perspectives
    • Featured Vendors
  • Other Content
    • Back
    • IoT World 2020 News
    • Q&As
    • Case Studies
    • Features
    • How-to
    • Opinion
    • Video / Podcasts
  • More
    • Back
    • About Us
    • Contact
    • Advertise
    • Strategic Partners
  • IOT World Events
    • Back
    • Internet of Things World: San Jose
    • IoT World 2020 News
  • newsletter
  • IIoT
  • Cities
  • Energy
  • Homes/Buildings
  • Transportation/Logistics
  • Connected Health Care
  • Retail
  • AI
  • Architecture
  • Engineering/Development
  • Security
ioti.com

Security


Getty Images

5 Cybersecurity Lessons Related to IP Security Cameras

There is a creepy angle to IP security cameras breaches, but there are more considerations to keep in mind. 
  • Written by Brian Buntz
  • 31st August 2019

One of the world’s largest threat intelligence research groups, Cisco Talos, recently discovered scores of vulnerabilities in Google’s Nest Cam IQ indoor camera. Cisco Talos identified multiple exploitable problems with the IP security camera. The vulnerabilities were linked to Weave, the protocol Nest relies on to enable users to configure and establish initial communication of the device. The vulnerabilities could allow an attacker to carry out a range of attacks, from denial of service, code execution or information disclosure. An adversary could also seize control over the affected devices.   

What that news means about the current state of security for IP cameras, however, is difficult to ascertain at first glance. And seemingly conflicting information is rampant. Here, we provide several fundamental conclusions about the current state of IP camera security. 

IP Cameras Continue to Be Vulnerable

Internet-connected cameras deserve special consideration with the regularity they are used in ways users likely didn’t anticipate. IP cameras played a starring role in the Mirai botnet in 2016, a DDoS attack that shut down a chunk of the internet. While some manufacturers of such devices share part of the blame given their failure to prioritize cybersecurity in the development of the products, another element is users’ reliance on default usernames and passwords. The Mirai botnet, in particular, homed in on the tendency of many web cameras, DVRs, routers and other devices to use default passwords. Many users of such devices contribute to the problem given their propensity for using and reusing insecure passwords. Manufacturers of such devices can force users to change such passwords after the first use. 

Another consideration, however, is the possibility for security cameras, and other IoT devices, to use a default username and password that are not exposed to the user, according to Asaf Ashkenazi, chief strategy officer at Verimatrix. This log-in info could enable an attacker to open a remote shell. “In some cases, it seems that OEMs intentionally use the same default password for all devices, because it reduces manufacturing costs, and likely to reduce customer support calls,” Ashkenazi explained.   

“If you look at the vendors in IoT, they have two things that are very problematic,” Ashkenazi said. “They have pressure to decrease their time to market. They need to beat their competitors, or to be at least at the same time when they go out with a solution.” They also have cost constraints. “If you look at the different ‘things’ that are connected, whether it is a light bulb or a toaster, consumers expect what those products should cost,” Ashkenazi said. The price of many connected devices continues to fall, leading Cnet to declare, recently: “The era of the $200 security camera is over. This $20 alternative is impressive.” That may be the case, but it is likely that the manufacturer of an inexpensive security camera offers little in the way of security.

While consumers tend to get upset upon reading about a compromised security camera, the buying public rarely considers security as a buying factor, Ashkenazi said. “We certainly look at the price and sometimes performances and product reviews.” Consumers’ priorities eventually dictate the priorities of IP camera manufacturers. Still, Ashkenazi acknowledged that it is often difficult for consumers to ascertain if one particular product is more secure than another. “I hope that in the future, product reviews published by leading consumer magazines will not only focus on performance and user experience but will also rate the security of the products they review,” Ashkenazi said.   

The Media Tends to Love Hacked Camera Stories

Articles about hacked cameras are often attention-grabbing. For evidence of that, look to stories from this year describing the tale of nuclear attack hoax perpetrated via a Nest security camera speaker or a Forbes article declaring millions of Chinese cameras “can be hacked to spy on users.” 

Stories about hacked cameras can stir primal emotions. “But I don’t think that [IP] cameras are fundamentally different from other smart devices,” Ashkenazi said. A consumer with a connected toaster — or a printer — for that matter might shrug off the risk of such devices. “But it’s not always about [the devices in themselves],” Ashkenazi said. But consumers — and enterprises — with unpatched networked devices are at risk, no matter what type of device they are. “Let’s say you didn’t update your printer. Nobody remembers to update their printer.” If your firmware has a known vulnerability, like the openSSL-based Heartbleed, attackers can easily take advantage of the situation to other devices in your local network. “In some cases, they can do it without knowing cracking your Wi-Fi password,” Ashkenazi said. An attacker might not need to overcome the latest Mac OS or Windows security protections to access files visible to the local network. “They can just use that compromised printer to access other devices connected to your internal network,” Ashkenazi said. 

Who Is (Not) Looking Through Your IP Camera? 

When you use an internet-connected camera or a computer or smartphone with an integrated camera, there is a risk of someone else looking in. That person doesn’t have to necessarily be a “hacker.” According to The Guardian, popular smartphone apps such as WhatsApp, Facebook, Snapchat, Instagram, Twitter, LinkedIn and Viber ask users to grant access to their camera and microphone. That makes it possible for the app to access both of the phone’s cameras. 

The security ramifications of web cameras are, by no means, limited to hacking. Spend enough time on Shodan.io, an IoT search engine, looking for popular web camera names such as “webcamXP” and you can see how easy it is to pull up random video feeds. You can click on links and see footage from city centers, retail stores, boating docks and domestic settings. Some previous media coverage describing hacking of IP cameras highlighted victims who used unsecured credentials – often default usernames and passwords

If you installed the popular Ring camera, for instance, you may not have been fully aware that using the device grants Ring, and by extension Amazon and any of its licensees “an unlimited,” “irrevocable,” “perpetual” and “worldwide right to reuse, distribute, store, delete, translate, copy, modify, display, sell” your video footage. The company’s terms of service also give Ring the authority to “create derivative works” from your footage “for any purpose and in any media formats in any media channels without compensation to you.”  

The terms of service for Nest and recently published privacy policy intend to allay consumers’ privacy concerns. The company vows not to use video or audio recordings from its products (including Nest IP cameras) for ad personalization. It does acknowledge it plans to use the text-based smart-speaker queries following a wake-word (i.e., “Hey Google, what is the forecast?”) for targeted advertising. Users, however, can opt out of this form of targeted advertising. 

Nest’s policy for video footage appears to be narrower than Ring’s: “Your camera sends video footage to Google only if you or someone in your home has explicitly turned the camera on or enabled a feature that needs it,” explains its terms of service. 

Earlier this year, Nest faced backlash after it admitted it failed to disclose that its Nest Secure home security device contained a microphone. The inclusion of the on-device microphone “was never intended to be a secret and should have been listed in the tech specs,” read a statement from the company. 

The Nest terms of service describe the possibility of users consenting to interface Nest products with third-party products and services, and state users must agree to have their device automatically install updates. One recent update did away with the ability of users to turn off an LED status light that illuminates when a Nest camera is recording. It also states that the company could have access to content, including video footage that the company uses to “provide, maintain and improve the Services.”   

While Ring’s terms of service cover virtually any use, a handful of use cases have become public knowledge. For one, Ring gave developers in Ukraine access to its cloud-hosted unencrypted videos to enable developers to study them to help train its computer vision algorithms, according to The Intercept and The Information.  

Ring is also sharing video footage with more than 400 police forces in the United States via a program known as “Neighbors,” a neighborhood-watch-like service. In a blog post, Ring Chief Executive Officer Jamie Siminoff wrote: “Neighbors and local law enforcement have achieved amazing results by working together through the Neighbors app, from getting stolen guns off the streets to helping families keep their children safe, and even recovering stolen medical supplies for a diabetic child.” The Electronic Frontier Foundation, on the other hand, has an opposing viewpoint. “By sending photos and alerts every time the camera detects motion or someone rings the doorbell, the app can create an illusion of a household under siege,” wrote EFF policy analyst Matthew Guariglia in a blog post. “It turns what seems like a perfectly safe neighborhood into a source of anxiety and fear. This raises the question: do you really need Ring, or have Amazon and the police misled you into thinking that you do?”

Just Because Hackers Can Spy Through IP Cameras Doesn’t Mean They Are

Judging by the amount of tape, Post-It notes, stickers and other devices plastered on top of laptops, the public has developed a degree of paranoia regarding webcams. An HP survey found 79% of respondents in the United States were aware of the risk of a stranger looking in on them via a webcam. Six out of 10 respondents said they covered up their web camera – with tape or something similar – when it was not in use. 

Responsible Disclosure Is a Good Thing

The recent disclosure of a string of vulnerabilities related to a Nest security model highlights how responsible disclosure can work. Cisco partnered with Nest and Weave to ensure the problem was addressed before Cisco Talos announced the vulnerabilities. According to Nest, affected cameras with an internet connection would be automatically updated to address the recently disclosed vulnerabilities. 

 

Tags: Smart homes Security Features

Related


  • Image shows welding robotics and a digital manufacturing operation.
    IoT Supply Chain Vulnerability Poses Threat to IIoT Security
    The supply chain provides building blocks for IoT but also vulnerabilities. IT pros need to ward against malicious attacks that exploit supply chain security gaps.
  • IoT Security Needs Pen Testing Approach
    IoT pen testing is a no-brainer, say experts. But don’t test everything.
  • Image shows a digital background depicting innovative technologies in security systems,
    Securing IoT Devices With Zero Trust Requires Mindset Shift
    Zero-trust approaches require a shift in mindset to ensure IoT devices have rigorous security policies applied — and the work is never done, say IT pros.
  • An Integrated Approach to IoT Security
    This e-book provides a comprehensive framework to help organizations reduce risk in IoT products and environments.

Leave a comment Cancel reply

-or-

Log in with your IoT World Today account

Alternatively, post a comment by completing the form below:

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Related Content

  • Common Internet of Things Security Pitfalls 
  • Can Privacy-Preserving Machine Learning Overcome Data-Sharing Worries?
  • Developing a Critical Infrastructure Cybersecurity Strategy
  • Addressing IoT Security Challenges From the Cloud to the Edge 

News

View all

Webex Collaboration Banks on Hybrid Workplace Model at Cisco Live 2021

2nd April 2021

Cisco Enlists Networking Automation, CX Cloud in COVID-19 Response

31st March 2021

White Papers

View all

Telehealth and COVID Infographic

30th March 2021

Medical Supply Chain Management with Smart Devices and Sensors

30th March 2021

Special Reports

View all

Cybersecurity Protection Increasingly Depends on Machine Learning

28th October 2020

Webinars

View all

Weber’s Journey: How a Top Grill Maker Serves Up Connected Cooking

25th February 2021

From Insights to Action: Best Practices for Implementing Connected Device Security

15th December 2020

Galleries

View all

Top IoT Trends to Watch in 2020

26th January 2020

Five of the Most Promising Digital Health Technologies

14th January 2020

Industry Perspectives

View all

IoT Spending Holds Firm — Tempered by Dose of ‘IoT Pragmatism’

1st December 2020

The Great IoT Connectivity Lockdown

11th May 2020

Events

View all

Embedded IoT World 2021

28th April 2021 - 29th April 2021

The Virtual Industrial AI Summit

29th June 2021 - 30th June 2021

IoT World 2021

2nd November 2021 - 4th November 2021

Twitter

IoTWorldToday, IoTWorldSeries

IoT Enterprise Deployments Continue Apace, Despite COVID-19 dlvr.it/RxWwsS https://t.co/BSkxdf17vs

12th April 2021
IoTWorldToday, IoTWorldSeries

🥳Happy #IoTDay! How are you celebrating? We're giving $50 off All Access Passes to join our upcoming virtual event,… twitter.com/i/web/status/1…

9th April 2021
IoTWorldToday, IoTWorldSeries

🎉 Announcing #EIOTWORLD sponsor, @InnoPhaseinc — a fabless wireless semiconductor platform company specializing in… twitter.com/i/web/status/1…

8th April 2021
IoTWorldToday, IoTWorldSeries

Digital Health Infrastructure Benefits From Cloud-to-Edge Architecture dlvr.it/RxBwQ4 https://t.co/AILVdUVWDA

7th April 2021
IoTWorldToday, IoTWorldSeries

Meet the #EIOTWORLD keynote lineup: Google, Facebook, Linux Foundation, STMicroelectronics, Antmicro, OpenHW Group,… twitter.com/i/web/status/1…

6th April 2021
IoTWorldToday, IoTWorldSeries

Network Data Analytics Supports Back-to-Work Health and Safety dlvr.it/Rx5xlL https://t.co/VvxxpdUMJ3

6th April 2021
IoTWorldToday, IoTWorldSeries

IoT Cybersecurity Act Places Security Onus on Device Makers dlvr.it/Rx2jHK https://t.co/fyd3nQ1r1Z

5th April 2021

Newsletter

Sign up for IoT World Today newsletters: vertical industry coverage on Tuesdays and horizontal tech coverage on Thursdays.

Special Reports

Our Special Reports take an in-depth look at key topics within the IoT space. Download our latest reports.

Business Resources

Find the latest white papers and other resources from selected vendors.

Media Kit and Advertising

Want to reach our audience? Access our media kit.

DISCOVER MORE FROM INFORMA TECH

  • IoT World Series
  • Channel Futures
  • RISC-V
  • Dark Reading
  • ITPro Today
  • Web Hosting Talk

WORKING WITH US

  • Contact
  • About Us
  • Advertise
  • Login/Register

FOLLOW IoT World Today ON SOCIAL

  • Privacy
  • CCPA: “Do Not Sell My Data”
  • Cookies Policy
  • Terms
Copyright © 2021 Informa PLC. Informa PLC is registered in England and Wales with company number 8860726 whose registered and Head office is 5 Howick Place, London, SW1P 1WG.
This website uses cookies, including third party ones, to allow for analysis of how people use our website in order to improve your experience and our services. By continuing to use our website, you agree to the use of such cookies. Click here for more information on our Cookie Policy and Privacy Policy.
X