Researchers have found that security cameras using an open-source code called gSOAP could be easily hacked and that attackers can send commands remotely. This allowed the researchers at Senrio, a security firm focused on the internet of things, to take over a video feed, pause the recording and turn the camera off. Leigh-Anne Galloway, Cyber security Resilience Lead at Positive Technologies commented below.
Leigh-Anne Galloway, Cyber security Resilience Lead at Positive Technologies:
“In last two years, we saw multiple reports of similar vulnerabilities in millions of other webcams and DVRs. Usually it’s about default settings (for example, Telnet logins with simple passwords used by Mirai botnet) or some debug backdoors left by developers (a story about Sony Professional Ipela Engine IP cameras). Hackers use automated scanners or specially designed search engines, such as Shodan.io, so they can quickly find thousands of vulnerable IoT devices.
“To prevent such threats, it is necessary to think about the security of IoT devices at all stages of development, deployment, and everyday use.
“At development stage, it’s possible to avoid many vulnerabilities by following the Secure Software Development Lifecycle (SSDL) practices, including the modern tools for automated code analysis.
“At the deployment stage, it’s important to correctly configure the system. You must change insecure default settings including passwords and privileges. Another good idea is to minimize the number of network services with open ports.
“As to the services in use, the access must be limited. In case of DVR / CCTV, Intranet access to devices must be given to certain IP addresses only (admins). It’s also reasonable to restrict the DVR access to the network allowing access only to necessary IP addresses, or to place such devices in an isolated network. And, of course, all the software, including the OS and third-party components, must be updatable. Create a secure update system and sign the device firmware so that attackers cannot install custom firmware of their own.
“Unfortunately, Mirai botnet and other IoT-based attacks showed that common users are generally unable to secure their IoT devices in the way they are accustomed to protecting their traditional PCs. Laptops and desktops are normally equipped with various protection mechanisms (such as antivirus software and firewalls), and the process of downloading security updates is intuitive and/or entirely automated. As to webcams or other IoT gadgets, in most cases, there is no simple interface from which the common user can analyse the performance of the device, or configure security settings, or update the software.”