Security researcher has discovered that 15,000 private webcams around the globe are exposed and accessible by anyone with an internet connection. They appear to have been installed by both home users and businesses in multiple countries across Europe, the Americas and Asia.
They include devices from major manufacturers, including: AXIS net cameras; Cisco Linksys webcam; IP Camera Logo Server; IP WebCam; IQ Invision web camera; Mega-Pixel IP Camera; Mobotix; WebCamXP 5 and Yawcam.
More info here: https://www.
Security is a shared responsibility between vendors and consumers. Vendors are responsible for minimising vulnerabilities in the design and implementation of their products. Consumers are responsible for deploying products in configurations that meet their own goals. It is unlikely that all 15,000 webcams were purposely exposed to the internet with no security controls in place. More likely is that consumers did not understand the implications when they set up these cameras. To some degree, consumers bear the responsibility of understanding the products they use, and understanding how they are configured and deployed.
On the other hand, networking concepts and configuration are difficult and likely to be beyond the understanding of many consumers. As a consequence, vendors bear the responsibility to ship secure-by-default devices, with clear documentation about the consequences of potentially risky configurations.
In any case, building and using products with only functionality in mind is no longer viable. Security must be baked in to the products themselves. Security must dictate how products are presented to consumers. Additionally, security must be understood and considered when products are deployed by consumers.
As this latest incident shows, the vast numbers of end user devices, IoT, workforce mobility and multi-cloud technologies that define and advance digital transformation has an unfortunate downside of increasing the probability of data exposure and potential attack vectors to businesses.
It is especially troublesome for those who may lack technical expertise, as this makes them susceptible to the many cyber threats and security risks that this new IT infrastructure can introduce. The good news is that securing these deployments, doesn\’t have to be complex – a solution to overcome them is not far behind. In this instance secure Software Defined WAN (SD-WAN) for the network edge is the answer.
Modern software development techniques are a rich source of future security bugs. Programmers nowadays are no longer scientists they are fitters – assembling third party libraries, components and tools to create a desired application. They are doing this without a clear understanding of the underlying principles of how these libraries work at a fundamental level.
Any failure in one of these software components, any lack of understanding in how to assemble them – or even in how they interact with the rest of the Internet – is likely to lead to a significant future vulnerability. As in this case, even a simple operational error could leak users data.
This is sensitive personal data. There is the risk, for example, that pictures of children could have been sent out to the wrong users. Unless the organisation has good data monitoring, they may never know for certain.
The Internet of Things – or IoT – is exploding in popularity. As people continue to connect their household devices to the Internet, you can expect to see more of this sort of privacy breach, particularly as organisations lacking the skills or experience to build such products leap onto the IoT bandwagon.
End users owe it to themselves to be diligent above and beyond simply securing the devices in question; they need to consider the fact that the networks – where they are small office or home networks or enterprises – require diligence and observance from a security perspective. It is foolish to assume that just because we purchase an IP-enabled device and add it to our environments that the device in question is secure or that our networks are secured to the point of mitigating unwanted/unauthorized bi-directional communication and control.
Manufacturers and vendors have a growing responsibility, especially in the IoT space, with respect to their technology and how it will be applied in environments, which are diverse. Ideally, all devices should be assessed for risk at the manufacturer and then again by those who are responsible for selling/implementing them in enterprises.