A white hat security researcher has discovered the presence of as many as 15,000 internet-connected private webcams sold by multiple companies worldwide that could be accessed by anyone with an Internet connection because of their lack of security protections.
Avishai Efrat, working as a white hat researcher for WizCase, found that these vulnerable private webcams belonged to various device types such as AXIS net cameras, Cisco Linksys webcam, IP Camera Logo Server, IP WebCam, IQ Invision web camera, Mega-Pixel IP Camera, Mobotix, WebCamXP 5, and Yawcam.
Efrat found that these private webcams did not feature automated security protections and if their buyers did not take additional security measures post-installation, they could be remotely accessed by cyber criminals with great ease.
15,000 private webcams shipped with easily predictable default admin credentials
This is because these devices featured easily predictable and standard default credentials for admin access that could easily be second-guessed by cyber criminals. Once admin access was obtained, a hacker could not only view private videos recorded by these webcams, but could also manipulate them, edit their settings, and gain additional privileges.
All the affected private webcams were being used by individuals, businesses, private institutions, places of worship, and other organisations in a large number of countries, including the UK, USA, Germany, France, Australia, Canada, Spain, and Japan.
"Some examples of camera that were accessible include those at shops, inside the kitchens/living rooms/offices of private family homes – including a live feed of people on the phone and children peeking at the camera directly, tennis courts, storage units, hotels, museum security feeds, churches, mosques, parking lots, gyms, and more," wrote Chase Williams, Web Security Expert at WizCase in a blog post.
"Not only do they all potentially have the ability to be viewed by anyone around the globe with an internet connection, many of them can be manipulated, including by editing settings and other privileges. There are also quite a few webcams that have only easily predictable and standard default credentials to bypass to obtain admin-level access."
Williams added that not only does the widespread distribution of these private webcams raise serious privacy concerns, but they also enable criminals to plan burglaries by using footage obtained from hacked webcams, allow governments to monitor the private lives of citizens, enable hackers to collect PII of targeted victims to access bank accounts and steal identities, and facilitate intergovernmental espionage.
Ensuring convenience for end-users trumps IoT device security
He noted that the main reason why these private webcams aren't shipped with watertight authentication mechanism is that manufacturers intend to make device installation as seamless as possible for consumers who may find it difficult to adjust the settings of these devices on their own. However, the lack of a pre-set authentication mechanism could sometimes result in open ports that could be exploited by hackers.
"The device’s security posture might depend on different things but a recommended way to set up a secure web camera would be to use a local VPN network, so that any open port would remain within the limits of the encrypted communication of the VPN.
"The app would connect to the VPN which would then access the port using an internal IP, thus avoiding the open port & call home potential problems and removing accessible ports from your external IP. Moreover, a unique password should be set up for the device," he added.
According to Jonathan Knudsen, senior security strategist at Synopsys, while consumers bear the responsibility of understanding the products they use, and understanding how they are configured and deployed, networking concepts and configuration are difficult and likely to be beyond the understanding of many consumers. As a consequence, vendors bear the responsibility to ship secure-by-default devices, with clear documentation about the consequences of potentially risky configurations.
"Building and using products with only functionality in mind is no longer viable. Security must be baked in to the products themselves. Security must dictate how products are presented to consumers. Additionally, security must be understood and considered when products are deployed by consumers," he adds.
According to Sam Curry, chief security officer at Cybereason, in order to ensure the security of IoT devices in the future, manufacturers should ensure that every shipped device has a unique identity and should be uniquely traceable, that IoT devices shouldn't have default credentials but should run with known, verifiable identities, and should bring in secure update services that can re-image everything from the firmware up if and as required.