Internet of Things (IoT) security cameras have never enjoyed a reputation of robust device security–a shortfall that is at least moderately ironic as security is right in the name. Between websites like Insecam that allow people to view completely unsecured webcams from around the world (like this mysterious roundabout in Tokyo), and reports of a compromised Nest camera playing a warning of an impending North Korean missile attack, there is certainly room for a lot more security in your security camera.
Security research firm Barracuda Labs investigated an unnamed IoT security camera, and identified extensive issues in the security design of the product, including a mobile app ignoring the validity of security certificates, exploitable cross-site scripting in the web app, the ability to traverse files in a cloud server, and unsigned device firmware update packages. Taken together, this allowed researchers to acquire credentials from and compromise the device itself, without physical access to the camera.
SEE: How SMBs can maximize the benefits of IoT initiatives (Tech Pro Research)
In the case of the mobile app ignoring the security certificate, if a device owner connects to the camera using their smartphone while connected to a malicious Wi-Fi connection–such as in a public place, like an internet cafe or coffee shop–the hostile network can intercept this traffic to obtain an unsalted MD5 hash of the user password by acting as a man-in-the-middle to the server of the product manufacturer.
By attacking vendor infrastructure, successfully hacking IoT cameras is substantially easier than trawling through Shodan scans for vulnerable devices. The report posits that “bugs are not inherent to products, rather to processes, skills, and awareness of the developers. As access and access controls for IoT devices shifted to cloud services, so did the vulnerabilities, making possible the types of attacks uncovered by the Barracuda Labs team.”
Barracuda does provide some guidance for IoT device manufacturers, noting the importance of deploying a web application firewall and ensuring that cloud security measures are taken.
For consumers, the firm recommends researching the device manufacturer, claiming “a few companies that produce IoT devices understand software security.” It emphasized paying attention to the track record of vendors–if they ship insecure products, their future products are likely to be insecure, while vendors that provide frequent and timely patches for vulnerabilities should be more trustworthy.
The big takeaways for tech leaders:
- Multiple oversights in basic security practices were observed in IoT devices analyzed by Barracuda Networks.
- Aftermarket security updates and support from IoT device manufacturers are critical factors when considering an IoT device purchase.