There’s a reason why IT professionals think that the Internet of things is a major security discrepancy. Around 5.5 million new devices are being connected to the Internet every day, and are giving security experts a run for their money. The Internet of Things and its devices could potentially become a security hazard for businesses that aren’t prepared to protect their assets from hacks.It’s not unheard of for users of Internet of Things devices to forget to secure them, especially in the case of security cameras. If this happens, an unsecured security camera that’s connected to the Internet can be used for some nefarious things. Lisa Vaas of Naked Security reported on a study saying that these IoT devices have plenty of security holes. Her report, “DVR snaps stills from CCTV surveillance and sends them to China,” goes into detail about findings from researchers at UK-based Pen Test Partners.
The study analyzed data from Shodan, the search engine dedicated to Internet-connected devices like buildings, smart appliances, webcams, and so much more. These researchers chose to focus on Internet-connected surveillance cameras.
Just a quick note: we want everyone who uses web-connected security cameras to know that even an average PC user can create a Shodan account and use it to search for, access, view, and control unsecured cameras. We weren’t sure how well this works, but it definitely does. Take a moment to view these stills from random surveillance cameras that we came across on Shodan:
These are just a couple of random shots that we came across. There might not be much going on here, but one thing we do know, monitoring strangers in their homes is certainly unethical. These cameras are just random ones that we stumbled upon. However, Shodan has been criticized for giving its users easy access to cameras that are sensitive in nature. Vocativ cites findings by Ars Technica:
These webcams show feeds from sensitive locations like schools, banks, marijuana plantations, labs and babies’ rooms. Shodan members who pay the $49 monthly fee can search the full feed at images.shodan.io. A Vocativ search of some of the most recently added images shows offices, school, porches and the interior of people’s homes. Accompanying each of these grabs is a pinned map that shows the location of the device capturing that footage.
If you’re still not sold on how creepy and intrusive this whole concept is, let’s go back and take a closer look at the first study we mentioned by Pen Test Partners. Vass reports:
The device also has no Cross-Site Request Forgery (CSRF) protection, so attackers can trick users into clicking on links to carry out malicious actions; it has no lock-out, so attackers can guess as many passwords as they like; it sends communications without HTTPS that can be intercepted and tampered with; and there’s no firmware updates, so “you’re stuck with these issues,” Pen Test Partners said. But weirdest of all, the thing is capturing still images from video feeds and emailing them to an address that appears to be hosted in China.
Why exactly are surveillance images being sent to China? This is a question that Pen Test Partners was never able to answer. Rather than speculate on what’s going on here, we’re going to take the objective road and attempt to address the real problem: the fact that surveillance cameras are unsecured in the first place.
If your organization needs assistance with securing your Internet-connected devices, Setton Consulting can help. We can help you understand how Internet of Things devices work, and what you can do to ensure that maximum security for your network. To learn more, give us a call at 212-796-6061.