A webcam on a monitor.
Image: Peter/Adobe Stock

Imagine a cybercriminal hacking into an internet-facing webcam set up in your organization and spying on a meeting, a manufacturing process or an internal training session. Then imagine what that person could do with the information they obtained. That’s exactly the scenario laid out by cyber risk company BitSight.

For a new report about insecure IoT devices, BitSight discovered that one in 12 organizations with internet-facing webcams or similar devices failed to properly secure them, leaving them vulnerable to video or audio compromise. Specifically, 3% of organizations tracked by BitSight had at least one internet-facing video or audio device. Among those, 9% had at least one device with exposed video or audio feeds, giving someone the ability to directly view those feeds or eavesdrop on conversations.

Jump to:

Which organizations are most at risk to this hacking?

The organizations analyzed included ones in the hospitality, education, technology and government sectors. Out of these, the education area was at the greatest risk, with one in four using internet-facing webcams and similar devices susceptible to video or audio compromise.

Further, Fortune 1000 companies suffered the greatest exposure, including a Fortune 50 technology subsidiary, a Fortune 100 entertainment company, a Fortune 50 telecommunications company, a Fortune 1000 hospitality company and a Fortune 50 manufacturing company.

Which devices were analyzed in this cyber risk survey?

Most of the devices analyzed by BitSight use the Real-Time Streaming Protocol to communicate over the internet, though some use HTTP and HTTPS protocols. With RTSP, users can send video and audio content and run commands to record, play and pause the feed.

Though many of the devices examined for the report were webcams, the analysis also included network video recorders, smart doorbells and smart vacuums. Some devices were actually set up for security purposes.

Why the devices are at risk of being hacked

The internet-facing devices analyzed were not behind a firewall or VPN, leaving them open to fingerprinting and threats. Certain exposed devices were improperly configured, with some lacking any type of password set by the user. Other devices were stuck with a security flaw, with many hit by a specific access control vulnerability called an insecure direct object references vulnerability.

IDOR vulnerabilities have become more worrisome as of late, according to BitSight. In 2022, BitSight discovered several critical such vulnerabilities in a popular vehicle GPS tracker. Labeled as CVE-2022-34150, this flaw could allow a hacker to grab information from any device ID regardless of the user account signed into the device.

At the very least, the video or audio feed should be protected by access control measures; however, many of them were not secured in this way, allowing attackers to view video feeds and spy on conversations. A savvy hacker could even alter the exposed feeds to spread false information, BitSight explained.

What are possible security impacts of such hacks?

Vulnerable webcams and other IoT devices open the door for several types of threats. An attacker could view private meetings and other conversations, enabling them to gather personal data or compromising information through a video or audio feed. The actual locations of employees and other people could be exposed. A hacker could also access business-related activities and conversations, allowing them to pick up sensitive information not only of the company but of any third parties.

The exposed information could threaten physical security. Some of the webcams analyzed by BitSight control secure doors and rooms, potentially giving criminals the information needed to thwart the security. Further, an organization’s overall cybersecurity could be at risk. Access to vulnerable audio and video devices gives attackers more data to compromise your internal systems and networks.

Some of the areas with vulnerable webcams included manufacturing facilities, laboratories, meeting rooms, school buildings and hotel lobbies.

How to reduce the risk from exposed webcams and IoT devices

To help your organization lessen the risk from internet-facing webcams and other IoT devices, BitSight offers a few tips.

First, identify any video or audio devices deployed across your organization and your business partners. Then analyze the security of these devices.

Put any vulnerable devices behind a firewall or VPN.

Set up access control measures to protect any devices that lack the proper authentication.

For devices that suffer from a software vulnerability, the developer needs to step in to provide a patch or otherwise secure the device. If the vendor can’t or won’t do this, your only option may be to switch to a different device or brand.

“This research shows that even everyday technologies, such as webcams, can leave organizations highly vulnerable if exposed,” BitSight Chief Risk Officer Derek Vadala said in a press release. “Understanding how these devices can increase an organization’s attack surface and taking the steps to deploy them in a manner that limits potential threats is critical.”

Read next: Top industrial IoT security solutions (TechRepublic)

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered Tuesdays and Thursdays

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered Tuesdays and Thursdays