NCSC red flags poor security controls in smart cameras and baby monitors

The National Cyber Security Centre has published a report advising users to secure their smart cameras and baby monitors that are connected to the Internet, advising them on how to set up their smart cameras to secure them from unauthorised access.

Smart cameras like security cameras and baby monitors are connected to the Internet via home Wi-Fi so that their users can view the live feed on the move. However, like any other smart device, they need to be secured to prevent cyber criminals from accessing them and stealing private data.

According to NCSC's guidance, the simplest way for IoT device users to protect themselves from cyber attacks is to change the default password to a secure one and to avoid using easily-guessable or simple passwords.

Another way to secure monitoring devices is to install regular software updates. NCSC says that consumers should turn automatic updates on, so that updates get installed automatically. Regular security updates not only secure Internet-connected devices but also bring in new features that optimise device utilisation.

“Smart technology such as cameras and baby monitors are fantastic innovations with real benefits for people, but without the right security measures in place they can be vulnerable to cyber attackers,” says Dr Ian Levy, Technical Director at NCSC.

“We want people to continue using these devices safely, which is why we have produced new guidance setting out steps for people to take such as changing passwords. These are practical measures which we can all take to help us get the most out of our home-based technology in a safe way,” he added.

NCSC has also published a guidance on router settings, stating that “many routers use technologies called UPnP and port forwarding to allow devices to find other devices within your network. Unfortunately, cyber criminals can exploit these technologies to potentially access devices on your network, such as smart cameras. To avoid this risk, you should consider disabling UPnP and port forwarding on your router - check your router's manual or the manufacturer's website for details about how to do this.”

“We are working hard to make the UK the safest place to be online and want everyone to have confidence in their connected devices. I recently announced new laws to improve the security standards of internet-connected household products which will hold companies manufacturing and selling these devices to account. I urge everyone who owns a smart product to follow the NCSC guidance to make sure their device is secure,” said Matt Warman, Digital Infrastructure Minister.

IoT device makers should consider PKI solutions to defend against cyber attacks

Welcoming the NCSC guidance, Kiri Addision, Head of Data Science at Mimecast told TEISS that “recent stories involving the hacking of internet-enabled security cameras and Smart TV’s, among other IoT devices, have provided criminals with another opportunity to extort money from victims.”

“It is now widely known that many IoT devices, such as smart cameras, lack basic security and are vulnerable to hacking, meaning that victims are more likely to believe the fraudsters’ claims, since the possibility of their device having really been hacked is highly plausible.

Therefore, it is welcome news to see that the NCSC is providing guidance to consumers to ensure they are taking the necessary steps to make these devices secure. Basic cyber hygiene, such as changing default passwords and regularly updating software, can go a long way to improving device security,” Addision added.

"Connected device security stands to benefit from well-considered legislation and guidance, like these set out by the NCSC. But, while this advice is a good start, we must not fall into the trap of believing that passwords are sufficient to address identified gaps in IoT security," says Tim Callan, Senior Fellow at Sectigo.

"Unfortunately, despite the NCSC recommendations for unique, secure passwords, the password paradigm is fundamentally vulnerable to well-established techniques including phishing, social engineering, and credential stuffing. To get around these problems, manufacturers should consider Public Key Infrastructure (PKI) solutions, which can provide a more trustworthy identity for devices," he added.

ALSO READ: Government to draft new legislation to make IoT devices more secure

MORE ABOUT: