'Severe' security flaws can turn popular smart cameras into spying tools

Kaspersky Lab researchers found multiple vulnerabilities in certain smart cameras that could allow attackers to obtain remote access to video and audio feeds.

2018's top ransomware target: IoT
Building a slide deck, pitch, or presentation? Here are the big takeaways:
  • Kaspersky Lab researchers found several severe security vulnerabilities in popular smart cameras that are often used for home and office security surveillance.
  • Flaws in smart cameras uncovered by Kaspersky Lab could allow attackers to gain remote access to video and audio feeds, remotely disable the devices, or infect them with malicious code.

Several popular smart cameras used for home and office security surveillance include "severe" security flaws that can transform them into spying devices, according to new research from Kaspersky Lab.

The uncovered security flaws in Hanwha Techwin cameras could allow attackers to gain remote access to the cameras' video and audio feeds, remotely disable the devices, infect them with malicious code, use them as an entry point for further attacks on the network, or perform a number of other illegal activities, the researchers found--potentially putting your business at risk.

As noted by our sister site ZDNet, the final result of this type of attack could be the distribution of modified firmware, which can exploit a hidden capability for switching the web interface, therefore providing the attacker with privileged access to the device. The attacker would then be able to use the flaws in the camera to enter the rest of the network, ZDNet reported.

SEE: Network security policy template (Tech Pro Research)

While previous research has found that smart cameras tend to contain some security vulnerabilities, Kaspersky Lab discovered that a whole range of these cameras have insecurely designed cloud-backbone systems that leave them open to severe attacks. These systems were created to allow the device owners to remotely access video from their devices, but can easily be exploited by criminals, the researchers noted.

The researchers identified nearly 2,000 vulnerable cameras working online. The number of actual insecure cameras is likely much higher, because those identified were only the ones that had their own IP addresses.

In addition to malware infections, the cameras could also be used for cryptocurrency mining--one of the largest emerging security threats facing businesses, Vladimir Dashchenko, head of the vulnerabilities research group at Kaspersky Lab, said in a press release.

Kaspersky Lab reported the vulnerabilities to Hanwha Techwin, and the manufacturer has already fixed some and is working on patching the rest, they said.

"The problem with current IoT device security is that both customers and vendors mistakenly think that if you place the device inside your network, and separate it from the wider internet with the help of a router, you will solve most security problems - or at least significantly decrease the severity of existing issues," Dashchenko said in the release. "In many cases this is correct: before exploiting security issues in devices inside of a targeted network, one would need to gain access to the router. However, our research shows that this may not actually be the case at all: given that the cameras we investigated were only able to talk with the external world via a cloud service, which was totally vulnerable."

Kaspersky Lab offered the following tips to keep your devices safe:

  • Always change the default password. Use a complex password and do not forget to update it regularly.
  • Pay close attention to security issues of connected devices before purchasing yet another smart device for homes or offices. Information on discovered and patched vulnerabilities is usually available online and is often easy to find.

Manufacturers should also enhance their cybersecurity strategies, and develop a secure-by-design environment, the researchers said.

Also see

Image: iStockphoto/moisseyev