Lights, camera, what about security?
At NCC Group we are always looking for ways to make the world safer and more secure, especially within the Internet of Things (IoT) ecosystem.
Millions of IoT devices are in use across our homes and businesses with the purpose of making our lives easier and safer –especially home security cameras, but many people forget to consider the security of these devices, particularly when they’re so affordable and readily available online.
The security of devices like these has been a sticking point for the industry, watchdogs and consumer bodies for a number of years, with countless calls for regulations that would set a security standard for manufacturers to work to.
With this in mind, one of our security consultants, Dale Pavey, dived into the potential risks facing consumers and businesses using Internet Protocol (IP) cameras – a type of surveillance camera that uses an internet-based network connection in order to store the data that it records.
So, what did our research uncover?
A number of security and privacy issues were discovered straight away, including default credentials stickered across packaging and the device itself, as well as weak encryption.
Most worryingly though, one camera was vulnerable to the security bug, Heartbleed – a vulnerability that could allow amalicious actor to easily trick a vulnerable web server into sending sensitive information, including usernames and passwords.
When exploited, we found that we could discover the user’s credentials and simulate an attack called ‘Pass-the-Hash' to move the camera’s motor and format the SD card. This then enabled us to create a Real Time Streaming Protocol account which allowed us to view the camera’s video feed and disable privacy mode.
The good news is that this vulnerability has since been patched following a responsible disclosure process with the vendor.
Here are our thoughts on a number of ways consumers and businesses alike can keep themselves safe and secure to ensure that they can use their devices with confidence.
- Remove any stickers which show the credentials of the device, especially if the camera is mounted outside
- If you can create a Virtual Local Area Network (VLAN), setup an isolated network for these devices – this adds that extra layer of security to your device and prevents compromise
- Ensure default credentials are changed as soon as your purchase the device
- Keep on top of the latest firmware patches by performing checks each month for updates via the mobile application, or set your device to auto install to ensure that the device is protected against future exploits and vulnerabilities
- If the device has hit its end of life in terms of product support, you should assess whether it’s worth keeping the device or whether you should purchase a newer model.
This, coupled with the vital steps that are being made across the globe to move towards improved security and manufacturing processes for IoT devices, will help to keep businesses and individuals safer and more secure.
We are proud to play a role in these ongoing efforts to secure the IoT ecosystem, and last month we were named as an Authorized Lab by the ioXt Alliance – anindustry group dedicated to building confidence in Internet of Things product. We were also pleased to see theUK’s Department for Digital, Culture, Media and Sport (DCMS) release a call for evidence on the legislation that will mandate security requirements for consumer Internet of Things (IoT) devices.
But for now, it’s important for consumers and businesses to remain vigilant about the devices they are using – be sure to change the default credentials, and update the firmware when possible.
If you’d like to find out more about the research, head over to our blog where Dale walks through the testing and discoveries he made about some of the most popular IP camerascurrently available.