If You Own a Smart IP Camera, You Need to Consider a Few Security Risks
What are the similarities between the computer you're using to read this article and the IP camera that you've set up for security reasons? There are more than a few, actually.
Both devices are connected to the internet which means that they send and receive information. The communication with the outside world would be impossible without an operating system that tells the individual hardware components what to do. And because it all needs to be controlled by a human being, this operating system has a user interface through which you and, as we'll establish in a moment, some other people, can interact with it.
So, in basic terms, while the purpose and the features of your home computer and your IP camera are different, the core functionality of the two devices is pretty close to identical. There is one more similarity that you need to bear in mind. Because your camera is connected to the internet, it, like your computer, can be hacked.
How easy is it to hack an internet-connected camera?
Researchers from Bitdefender were asking themselves the same question which is why they recently took four IP cameras and tried breaking their defenses. The cameras they picked were the Keekoon KK005, the Tenvis TH661, the Reolink C1 Pro Camera, and the Geenker HD IP Camera. Hacking into all four of them is easier than it should be.
The idea of an IP camera is that it can be controlled remotely, which usually happens via an administration panel that can be accessed either through a browser or through a mobile application. Normally, before you're allowed to alter anything, you need to provide a username and a password, but the four cameras Bitdefender tested had multiple authentication bypassing vulnerabilities which let the experts log in without having the credentials. With the Geenker HD IP Camera, skipping the login page was as easy as entering a different URL in the address bar of the browser.
There were plenty of other security holes as well. The researchers found hardcoded Telnet credentials in the same Geenker camera, and with the Reolink C1, they were able to get the password for the local Wi-Fi network. The Reolink C1 could even spill some email credentials. As if that wasn't enough, virtually all cameras are susceptible to command injection and stack overflow attacks, and the Keekoon also arrives with its own LAN backdoor.
How useful can a hacked IP camera be?
Spying on you and your property is, at first glance at least, the most obvious thing a cybercriminal can do with a compromised IP camera. The authentication bypass vulnerabilities allow hackers to gain full control of the camera which means that whatever you can do with it, they can do as well, and this includes streaming and recording footage.
The thing is, for most of us, this isn't going to be a problem. Specific targets who, in one way or another, have upset some high-profile individuals should probably be worried about this sort of thing. It's fair to say, however, that spies won't be very eager to find out what Joe and Joanne Average do after they get home from work.
The fact that the cybercriminals won't bother eavesdropping on you, however, doesn't necessarily mean that they are not interested in you at all. They'll probably be happy to learn, for example, what the password for your online banking platform is, and believe it or not, your vulnerable IP camera can help them find it. Don't forget that the camera is connected to the same local network as the rest of your devices, and it can, under some circumstances, serve as a gateway for the hackers. Their ability to move around and infect your computers, phones, and tablets is dependent on a number of factors, but it's fair to say that if they do manage to get in (and some of the vulnerabilities Bitdefender found to suggest that this is not impossible), they will find a way of causing more damage.
Last but not least, hackers can use your IP camera to wreak havoc for other people. Those of you interested in information security news probably remember the infamous Mirai botnet which launched an unprecedented Distributed Denial of Service (DDoS) attack in 2016 and caused a massive internet outage in parts of the US. A large portion of the devices that comprised the botnet were IP cameras, and their owners had no idea that they were inadvertently participating in one of the world's biggest cyberattacks. What can you do to try and avoid such a situation in the future?
Mitigating the security risks of IP cameras
Not all IP cameras come with a wide array of vulnerabilities, but it's fair to say that the four models tested by Bitdefender are far from the only ones which means that if you're considering installing such a device, you could do worse than research your options and pick carefully. Choosing the right camera is only half the story, though.
In their race to put as many devices as possible on the internet, vendors tend to overlook the security of their products, but it must be said that sometimes, they are not the only ones to blame. Often, users are in too much of a hurry to properly configure their cameras, and they hide them behind strong passwords. Far too many cameras are exposed to the internet and are protected by their default credentials. As we established yesterday, hackers can find these cameras in no time, and when they do, they are bound to try to brute-force their way in using out-of-the-box usernames and passwords.
It's ironic that something supposedly designed with security in mind offers such poor protection from (albeit online) intruders. Perhaps more worryingly, very few vendors have put together reliable update mechanisms that can patch vulnerabilities as soon as they are discovered. Unfortunately, this means that, other than being careful with the devices you put on your network and avoiding some of the most basic configuration mistakes, there's not much you can do to keep the hackers away.