IP camera hacks have become more rampant than ever. A large part of it has to do with the camera itself. Many of them are beset by backdoors and design flaws that render them vulnerable to cyberattacks.IP camera hacks have become more rampant than ever. A large part of it has to do with the camera itself. Many of them are beset by backdoors and design flaws that render them vulnerable to cyberattacks.
For the longest time, video surveillance cameras have performed the key role of surveilling and monitoring premises, keeping lives and properties secure. However, the security of the device itself is something that has often been neglected. And, as CCTV cameras migrate more and more towards the network, they face the same kind of risk and cyber threats as any other networked devices.
In fact, a lot of IP cameras have fallen victim to intrusion and hacking. A recent baby cam hack, as told in a June 6 report on web portal CSO Online, occurred in South Carolina when a young mother found out that her baby cam moved on its own, pointing at her while she was breastfeeding her son. In another report by South China Morning Post, dozens of Canon IP cameras were hacked across Japan back in May whereby the cameras were believed to have been illegally accessed, and in most cases a message that read “I’m Hacked. bye2” was left on their screens apparently by the hacker. While it was unclear why Canon cameras were targeted, users in the city of Yachiyo in Chiba Prefecture and the city of Ageo in Saitama Prefecture said they had failed to reset the cameras’ default passwords, according to the report.
Then, in October 2016, a series of coordinated cyberattacks were launched against Dyn, an Internet performance management company based in New Hampshire, resulting in service disruptions across various famous sites including Airbnb, Amazon.com and The Boston Globe. It was later found out a botnet of Internet of Things devices, including IP cameras and network video recorders, were used in the attack after being infected with the Mirai malware.
Camera problems today
These incidents speak volumes of the fact a lot of today's IP cameras are still beset by vulnerabilities. Some have backdoors. Some employ default passwords that are easily searchable on the web. Some have other design flaws. These can all be exploited by hackers over the Internet.
“Backdoors are a major threat, and they exist due to negligence in designing a secure product in many of the connected cameras today,” said Alon Levin, VP of Product Management at VDOO. “However, backdoors are not the only threat we are seeing in cameras. Cameras also include design flaws, known vulnerabilities and zero-days vulnerabilities, which can only be handled by the manufacturers.”
“Many technologies are built with limited security controls inherent in them. They are often created with poor coding practices or hardware vulnerabilities that make compromise quite easy. Like any technology, if the underlying camera operating technology is vulnerable to attack, and left with access to open networks like large data networks or the Internet, they can be effected by the million or so new virus variations that are created every day,” said Dave Tyson, SVP of Cyber Security Consulting at Apollo Information Systems.
“The biggest security problem with IP cameras is that they are not managed very well to achieve sustainable cyber hygiene. For example, default passwords remain on the camera, or camera firmware is not updated or abnormal memory, storage, or bandwidth usage goes unnoticed,” said Bud Broomhead, CEO of Viakoo.
As to why this is happening, experts point out that camera manufacturers place a stronger focus on the design and performance of their products. Security, then, becomes a lower priority. “Camera manufacturers operate within a specialized subsector, and much like other technology developers, their skills are geared towards improving the quality of their products. While it cannot be said for all manufacturers, security may not necessarily be aligned to their key business objectives,” said Cheng Lai Ki, Cyber Operations Consultant, Horangi Cyber Security.
And needless to say, making devices more secure requires a certain amount investment, and this goes against camera manufacturers’ interest in their effort to keep costs down. “The race to be cheapest got them all in trouble. Many are just OEMing parts and codebase libraries which are flawed. Not many have taken the time to write their own code and then publish the third party audits of their code security audits. As long as people keep buying this poor quality equipment, there is no incentive for the manufacturers to clean up their development,” said Andrew Lanning, Co-Founder of Integrated Security Technologies.
“To also become experts in security, the manufacturers will have to double their in-house development budget. That doesn’t make sense from an economical perspective. In addition to economic considerations, it is also really hard to integrate a security team into an existing development team – it requires a ‘DNA change’ for the entire company,” Levin said. “Not only that, investment in security today is something that is hard for manufacturers to prove that they have done to the right level and use as a commercial advantage.”
But this is not to say that manufacturers haven’t made any headway in this regard. “We’ve seen some improvement in their certificate handling, and some are finally straightening out their MIBs (machine information base), in accordance with industry standards,” Lanning said. “This will help us monitor camera activity and functionality more accurately with standards protocols like SNMP (Simple Network Management Protocol). Most manufacturers still have a lot of issues in their MIBs.”