It has been reported that consumer advocacy organisation Which? has issued a warning over the security of wireless camera brands made by China-based HiChip and urged the owners of more than 100,000 devices thought to be active in the UK to stop using their cameras immediately. The flaws affect both the devices themselves and their accompanying CamHi smartphone app, said Which?. The organisation worked to verify the flaw alongside security researcher and camera specialist Paul Marrapese, and found it in five cameras from OEM brands Accfly, Elite Security, ieGeek, Genbolt and SV3C. It may also exist in over 30 other brands that have been, at one time or another, sold into the UK. These include Alptop, Besdersec, COOAU, CPVAB, Ctronics, Dericam, Jennov, LETEK, Luowice, QZT and Tenvis.
The massive growth in IoT devices placed in the home and office is the perfect opportunity for cyber criminals to make money from particular types of malware. IoT devices are far too often packaged up with weak (if any) built-in security features, so the public are on the back foot from the outset. Security updates also tend to be infrequent which puts further risks on the owner.
Updates and 2FA are critical but you may need to ask yourself if you really need your security camera online 24/7. If the cameras still record on the premise, they may not need to be online at all, preventing the risk of an attack altogether.
IoT devices can provide attackers with an easy route into your home network. With many of us working from home now, this poses an increased risk to businesses, due to the opportunity for an attacker to more easily move from an employee\’s personal network to their employer\’s. Apart from gaining access to the network, internet enabled security cameras can be exploited in a number of other ways, including shoulder surfing to gain information such as credentials, monitoring victims and collating information that can be used to create convincing phishing attacks and cameras with microphones can be used to spy on meetings and gain sensitive information. These increased threats require businesses to provide their workforce with awareness training on a regular basis, to ensure best practise is followed and staff are vigilant.
We use IoT devices and its technology as if it is already matured. Yet, we, as users and consumers of this useful and exciting technology, need to realise that it is still evolving. It has not yet reached the maturity level needed to serve the masses with stability and most importantly, security. As such, we need to proactive verify that our devices are secure. Hopefully, in the future, security will be not only built-in but also mandatory before a device can hit store shelves.
The introduction of a standard such as the UK legislation on IoT cybersecurity can help in providing the needed oversight, stability as well as transparency when it comes to creating processes and protocols during product development. It also allows for the identification of any missteps, and to adapt, evolve and mature the technology to its best and, in this case, safest version. This is an important step when talking about a technology that can, on one hand, be highly advantageous, but also threatening.