Smart cameras could be used as surveillance tool
Russian researchers from Kaspersky Lab said they discovered multiple security vulnerabilities in popular smart cameras that are frequently used as baby monitors, or for internal home and office security surveillance. Kaspersky Lab said in a statement the uncovered flaws could allow attackers to obtain remote access to video and audio feeds from the cameras, remotely disable these devices, execute arbitrary malicious code on them and do many other things.
It noted that modern smart cameras contain an advanced number of functions, providing users with various opportunities: people can use them as advanced baby monitors or for surveillance systems which spot intruders while no one is home or in the office.
An analysis conducted by many other security researchers showed that smart cameras in general tend to contain security vulnerabilities at different levels of severity. However, in their latest research, Kaspersky Lab experts said they uncovered something extraordinary: not just one, but a whole range of smart cameras were found to be vulnerable to a number of severe remote attacks.
This was due to an insecurely designed cloud-backbone system that was initially created to enable the owners of these cameras to remotely access video from their devices.
By exploiting these vulnerabilities, malicious users could access video and audio feeds from any camera connected to the vulnerable cloud service; remotely gain root access to a camera and use it as an entry-point for further attacks on other devices on both local and external networks; remotely upload and execute arbitrary malicious code on the cameras; steal personal information such as users’ social network accounts and information which is used to send users notifications; or remotely “brick” vulnerable cameras, which means to cause it to become completely unable to function, typically on a permanent basis.
Kaspersky Lab researchers contacted and reported the vulnerabilities to Hanwha Techwin, the manufacturer of the affected cameras. At the time of publication, some vulnerabilities had already been fixed, and the remaining vulnerabilities are set to be completely fixed soon, according to the manufacturer.
While doing their research, Kaspersky Lab experts were able to identify almost 2,000 vulnerable cameras working online, but these were only the cameras that had their own IP address, hence were directly available through the internet. The real number of vulnerable devices placed behind routers and firewalls could actually be several times higher, it said.
“The problem with current IoT device security is that both customers and vendors mistakenly think that if you place the device inside your network, and separate it from the wider internet with the help of a router, you will solve most security problems – or at least significantly decrease the severity of existing issues. In many cases this is correct: before exploiting security issues in devices inside of a targeted network, one would need to gain access to the router. However, our research shows that this may not actually be the case at all, given that the cameras we investigated were only able to talk with the external world via a cloud service, which was totally vulnerable,” said Vladimir Dashchenko, head of vulnerabilities research group at Kaspersky Lab ICS CERT.