IoT Camera Exploit Allows Attackers To Listen In Over HTTP

By   ISBuzz Team
Writer , Information Security Buzz | Aug 02, 2019 07:06 am PST

Researchers from cybersecurity firm Tenable said the Amcrest IP2M-841B IP camera, available on Amazon and subject to 12,000 customer reviews — many of which are positive — contained a serious bug which is “trivial” to exploit and could allow attackers to listen in over HTTP, ZDNet reported.

Notify of
2 Expert Comments
Oldest Most Voted
Inline Feedbacks
View all comments
Craig Young
Craig Young , Principal Security Researcher
InfoSec Expert
August 2, 2019 3:33 pm

It is generally unwise to configure any security cameras to be accessed directly across the Internet. Although I’m frequent to point out the risks of connecting personal gear into vendor cloud infrastructures, cloud-based cameras do generally speaking provide an advantage over traditional IP cameras because users can access them through vendor apps without needing to publicly expose the cameras.

Often times these devices do not accept any incoming connections which could be abused by hackers and instead solely connect to the vendor’s system to receive commands and relay data. Although this may seem like a clear reduction of attack surface, it is actually more accurately described as relocating the risk from home networks and ISP addresses to vendor infrastructures which may house data for millions of other users. My personal solution is to have security cameras which are only accessible from an internal home network or through an encrypted tunnel to the home network.

Last edited 4 years ago by Craig Young
Paul Bischoff
Paul Bischoff , Privacy Advocate
InfoSec Expert
August 2, 2019 3:15 pm

The flaw in the Amcrest camera allowed anyone to listen in on audio recordings through the camera\’s microphone because it was not properly secured. The vulnerability has since been patched, but these sorts of flaws are becoming all too common in IoT devices. There is no single standards or auditing body that certifies these devices as safe, so security in IoT is largely self-regulated. This means that flaws can be overlooked or even inserted on purpose by manufacturers. And unlike web browsers that display a padlock icon whenever your connection to a website is secure, IoT devices give no such indication. This makes it difficult for consumers to judge whether a device is safe to use or not.

In my view, Amazon is the best candidate to ensure devices are secured. Many similar cameras and other white-labelled IoT devices are sold through Amazon, and Amazon certainly has the resources to audit IoT devices sold on its platform. As it stands, Amazon pretty much lets anyone sell whatever IoT device they want in the hopes that customer reviews act as the market\’s invisible hand to weed out bad products. Unfortunately, most Amazon customers are not equipped nor knowledgeable enough to evaluate IoT security, so good reviews of a poorly secured product keep flowing in.

Last edited 4 years ago by Paul Bischoff

Recent Posts

Would love your thoughts, please comment.x