Researchers from cybersecurity firm Tenable said the Amcrest IP2M-841B IP camera, available on Amazon and subject to 12,000 customer reviews — many of which are positive — contained a serious bug which is “trivial” to exploit and could allow attackers to listen in over HTTP, ZDNet reported.
Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics
It is generally unwise to configure any security cameras to be accessed directly across the Internet. Although I’m frequent to point out the risks of connecting personal gear into vendor cloud infrastructures, cloud-based cameras do generally speaking provide an advantage over traditional IP cameras because users can access them through vendor apps without needing to publicly expose the cameras.
Often times these devices do not accept any incoming connections which could be abused by hackers and instead solely connect to the vendor’s system to receive commands and relay data. Although this may seem like a clear reduction of attack surface, it is actually more accurately described as relocating the risk from home networks and ISP addresses to vendor infrastructures which may house data for millions of other users. My personal solution is to have security cameras which are only accessible from an internal home network or through an encrypted tunnel to the home network.
The flaw in the Amcrest camera allowed anyone to listen in on audio recordings through the camera\’s microphone because it was not properly secured. The vulnerability has since been patched, but these sorts of flaws are becoming all too common in IoT devices. There is no single standards or auditing body that certifies these devices as safe, so security in IoT is largely self-regulated. This means that flaws can be overlooked or even inserted on purpose by manufacturers. And unlike web browsers that display a padlock icon whenever your connection to a website is secure, IoT devices give no such indication. This makes it difficult for consumers to judge whether a device is safe to use or not.
In my view, Amazon is the best candidate to ensure devices are secured. Many similar cameras and other white-labelled IoT devices are sold through Amazon, and Amazon certainly has the resources to audit IoT devices sold on its platform. As it stands, Amazon pretty much lets anyone sell whatever IoT device they want in the hopes that customer reviews act as the market\’s invisible hand to weed out bad products. Unfortunately, most Amazon customers are not equipped nor knowledgeable enough to evaluate IoT security, so good reviews of a poorly secured product keep flowing in.