Vulnerable security cameras

According to Kaspersky Lab, several security vulnerabilities have been discovered in popular smart cameras, which are often used for internal security surveillance or as baby monitors [1]. Previous investigations have already shown that networked cameras have vulnerabilities [2]. The current investigation by Kaspersky experts shows that a whole range of smart cameras are vulnerable to serious remote attacks. The reason for this is the cloud backbone system, which was originally intended to allow the owners of the cameras to remotely access videos from their devices.

By exploiting the vulnerabilities, attackers would be able to:

• Gain access to video and audio from any camera connected to the vulnerable cloud service
• Gain root access to a camera remotely and use it as a gateway for further attacks on other devices in the local as well as external network
• remotely upload and execute malicious code on the cameras
• Steal personal data such as social network login credentials and information used to send notifications to users
• Remotely render the vulnerable cameras unusable

After the discovery, the vulnerabilities were reported to Hanwha Techwin, the manufacturer of the affected cameras. At the time of publication, some vulnerabilities have already been fixed, and the rest of the vulnerabilities will soon be completely fixed, according to the manufacturer.

All of these things were possible because experts found that the way the cameras interact with the cloud service is insecure and easily compromised. They also found that the architecture of the cloud service itself is vulnerable to outside interference.

This type of attack is only possible if attackers know the serial number of the respective camera. However, the way they are generated is relatively easy to find out through brute force attacks, since the camera registration system does not have dedicated protection against this.

During the investigation, the experts found almost 2000 vulnerable cameras on the Internet. However, these are only those with their own IP address. They are thus directly accessible from the Internet; the actual number of vulnerable devices behind routers or firewalls could be many times higher.

In addition, the experts found an undocumented function that could be used by the manufacturer for final production testing. This allowed attackers to send false signals to a camera or change a command that had already been sent to it. The function itself was also found to be vulnerable. In addition, it could be further exploited with a buffer overflow and cause the camera to shut down. The vendor has already fixed the problem and removed this function.

"The problem with current IoT device security is that both customers and vendors mistakenly think that if they integrate the device into their network and disconnect it from the wider Internet using a router, they will solve most security problems - or at least reduce the severity of existing problems," said Vladimir Dashchenko, of Kaspersky Lab. "In many cases, this is true: Before vulnerabilities in devices within a target network can be exploited, one would need to gain access to the router. However, our research shows that this is not necessarily the case. The cameras we examined were only able to communicate with the outside world via a cloud service, which is completely vulnerable. Interestingly, in addition to the previously described attack vectors such as malware infections and botnets, cameras are also used for mining. While mining on enterprise computers is a possible outcome of a successful attack, threatening enterprise security, IoT mining is an emerging trend that will continue to grow due to the increasing number of IoT devices."

Hanwha Techwin comments: "The security of our customers is our top priority. We have already fixed the camera's security vulnerabilities, including remote upload and execution of arbitrary malicious code. We have released the updated firmware to all users. Some vulnerabilities related to the cloud have been identified and will be fixed soon."

Safety tips

Kaspersky Lab advises home users:

• always change preset passwords. The password should consist of at least 16 characters and a combination of upper and lower case letters, numbers and special characters;
• to check for known security issues before purchasing a networked device. Information on known vulnerabilities and available patches can be found online.

Kaspersky Lab recommends that companies improve their own cybersecurity standards and understand and assess the threat risk, and develop a secure environment from the outset. Kaspersky Lab therefore actively works with vendors and informs accordingly about discovered security vulnerabilities.

More information on the vulnerabilities found in smart cameras is available at. https://securelist.com/somebodys-watching-when-cameras-are-more-than-just-smart/84309/

^[1] https://securelist.com/somebodys-watching-when-cameras-are-more-than-just-smart/84309/

^[2] https://www.silicon.de/41653919/gravierende-sicherheitsluecke-in-millionen-von-ip-kameras-aufgedeckt/

Press release: Kaspersky Lab