Hackers could exploit vulnerabilities in networked security and surveillance cameras to gain access to the network they connect to. They could also use the cameras to look for physical security flaws or to spy on employees and patients. Hackers are also taking advantage of lax security on a range of IoT devices and are using them to launch Distributed Denial of Service (DDoS) attacks, and IoT devices with poor security controls can be added to a botnet or used for further attacks on an organization.
The warning comes from a recent report from Cloud security firm Zscaler. Its researchers were particularly concerned about vulnerabilities in security and surveillance cameras.
Zscaler reviewed the security controls on several well-known residential and enterprise security cameras and discovered a variety of weaknesses that hackers could exploit. For example, the Flir FX wireless HD monitoring camera uses plaintext in communication without authentication tokens. There was also no digital signature in firmware updates, so an attacker could perform an update and install custom-crafted firmware to gain full control of the cameras. Similarly, the Foscam IP surveillance camera transmits user data using plaintext over http, together with the password included in the URL.
These are just two examples. Unfortunately, it is a similar story with many other manufacturer’s devices. SEC Consult’s security researchers recently identified two backdoors in over 80 models of Sony professional surveillance cameras. The devices had hard-coded credentials in a web interface which would allow hackers to control the Telnet service on the devices remotely. The hackers could also use a hard-coded password for the root account to control the devices through Telnet.
It is believed Sony installed the backdoors to use during product development but failed to remove them prior to release. When informed about the flaws, an update was quickly issued to correct the issue.
SEC Consult stated that the flaws in security and surveillance cameras can be exploited to gain a foothold in a network for use in further cyberattacks, to interrupt camera performance, send altered photos/video, or to add the cameras to a Mirai-like botnet.
Zscaler has warned all organizations that use IoT devices to take action to minimize the potential for the devices to be accessed and misused by hackers. Zscaler advises blocking external ports, setting strong passwords, changing default accounts, and operating the devices on isolated networks.
The failure to take action to improve the security of IoT devices could not only result in the network being compromised or a data breach being experienced, it could also result in a regulatory fine. The Department of Health and Human Services’ Office for Civil Rights (OCR) has already issued a warning to healthcare organizations about the risks introduced by IoT devices. Fines for noncompliance may well follow.
OCR recommends consulting the US-CERT website to obtain further information on how to protect IoT devices.