IoT Camera Exploit Allows Attackers To Listen In Over HTTP

Researchers from cybersecurity firm Tenable said the Amcrest IP2M-841B IP camera, available on Amazon and subject to 12,000 customer reviews — many of which are positive — contained a serious bug which is “trivial” to exploit and could allow attackers to listen in over HTTP, ZDNet reported.

Experts Comments

August 02, 2019
Craig Young
Principal Security Researcher
Tripwire
It is generally unwise to configure any security cameras to be accessed directly across the Internet. Although I’m frequent to point out the risks of connecting personal gear into vendor cloud infrastructures, cloud-based cameras do generally speaking provide an advantage over traditional IP cameras because users can access them through vendor apps without needing to publicly expose the cameras. Often times these devices do not accept any incoming connections which could be abused by.....Read More
It is generally unwise to configure any security cameras to be accessed directly across the Internet. Although I’m frequent to point out the risks of connecting personal gear into vendor cloud infrastructures, cloud-based cameras do generally speaking provide an advantage over traditional IP cameras because users can access them through vendor apps without needing to publicly expose the cameras. Often times these devices do not accept any incoming connections which could be abused by hackers and instead solely connect to the vendor’s system to receive commands and relay data. Although this may seem like a clear reduction of attack surface, it is actually more accurately described as relocating the risk from home networks and ISP addresses to vendor infrastructures which may house data for millions of other users. My personal solution is to have security cameras which are only accessible from an internal home network or through an encrypted tunnel to the home network.  Read Less
August 02, 2019
Paul Bischoff
Privacy Advocate
Comparitech
The flaw in the Amcrest camera allowed anyone to listen in on audio recordings through the camera's microphone because it was not properly secured. The vulnerability has since been patched, but these sorts of flaws are becoming all too common in IoT devices. There is no single standards or auditing body that certifies these devices as safe, so security in IoT is largely self-regulated. This means that flaws can be overlooked or even inserted on purpose by manufacturers. And unlike web browsers.....Read More
The flaw in the Amcrest camera allowed anyone to listen in on audio recordings through the camera's microphone because it was not properly secured. The vulnerability has since been patched, but these sorts of flaws are becoming all too common in IoT devices. There is no single standards or auditing body that certifies these devices as safe, so security in IoT is largely self-regulated. This means that flaws can be overlooked or even inserted on purpose by manufacturers. And unlike web browsers that display a padlock icon whenever your connection to a website is secure, IoT devices give no such indication. This makes it difficult for consumers to judge whether a device is safe to use or not. In my view, Amazon is the best candidate to ensure devices are secured. Many similar cameras and other white-labelled IoT devices are sold through Amazon, and Amazon certainly has the resources to audit IoT devices sold on its platform. As it stands, Amazon pretty much lets anyone sell whatever IoT device they want in the hopes that customer reviews act as the market's invisible hand to weed out bad products. Unfortunately, most Amazon customers are not equipped nor knowledgeable enough to evaluate IoT security, so good reviews of a poorly secured product keep flowing in.  Read Less

Submit Your Expert Comments

What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.

Write Your Expert Comments *
Your Registered Email *
Notification Email (If different from your registered email)
* By using this form you agree with the storage and handling of your data by this web site.