Earlier today, Kaspersky Lab researchers announced that they had discovered flaws in Hanwha’s SmartCam cameras. More than a dozen vulnerabilities were found including critical flaws that can be used to take control of devices remotely. IT security experts commented below.
Amir Abramovitch, Security Researcher at Cy-OT:
“According to this research, hackers can take over any Hanwha smart camera, and some Samsung cameras. Amongst other things, they can remotely change the administrator’s password and execute arbitrary code on the camera.
This is particularly worrying as the camera is wireless-only (no wired connection available) and may not be properly managed and monitored at a corporate office. More likely, most offices won’t even know they have one of these on premise.
These vulnerabilities in Hanwha smart cameras create an opening for hackers to remotely take over the device and use it to infiltrate corporate secure networks.”
Steve Giguere, EMEA Engineer at Synopsys:
“Internet of Things (IoT) products are heavily driven by time to market and feature first design, with the perception that these are the direct lines to profit. Security concerns are a distant third, with security too often seen as a cost centre as opposed to an essential enabler.
Understanding that shifting the detection of serious product vulnerabilities as early as possible in the development process, using static code analysis (SCA), fuzzing technologies and penetration tests, provides an opportunity, not only for reduced developer costs, support and maintenance, but also mitigated risk of negative impact on brand and product reputation.
Considering that insecure devices such as smart cameras can give attackers the ability to use anything from buffer overflow vulnerabilities to cloud misconfigurations and insecure data in transit; allowing for anything from arbitrary code execution to botnet DDoS or crypto-mining to complete administrative access to the camera, the question shouldn’t be what is the cost of security; but what is the cost of not taking security seriously enough?”
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.