The Information Commissioner has reminded the public that default passwords on internet-connect IP cameras must be changed, preferably by creating a strong password, but I fear his warning doesn’t go far enough.
There are other dangers facing your web enabled security devices including:
- Unpatched vulnerabilities
- Misconfigured firewalls
- Failing to switch off remote configuration tools
- IP cameras not being isolated from the rest of your network
For more information, read our article Your IP cameras: an open door to cyber attack? (first posted three weeks ago but reposted today in light of the news).
It is rather surprising that the Information Commissioner and other watchdogs are only now issuing warnings about the dangers of web cams.
We covered this story a month ago – Private Cookstown CCTV Cameras Hacked – but this issue has been an open secret in both the IT and CCTV communities for years.
The Information Commissioner highlight the activities of a Russian-based website which has posted links to thousands of IP cameras, but there is nothing new about this. There are search engines devoted to finding unprotected IP cameras – all the Russians have done is collected the links to the feeds in one place and packaged some advertising around them.
A quick search online this morning found a dozen websites devoted to web cam feeds.
These sites are taking advantage of people who have failed to change the default password. Some of them claim to be doing this as a public service, to alert the public to the risks. The Information Commissioner has said to them, “Now we all know and please will they take them down”.
But the risks go beyond weak or non-existent passwords.
Some IP cameras have well known vulnerabilities in them which mean that passwords can be extracted from the devices or security can be bypassed altogether.
Recent exploits include Heartbleed which exploits a flaw in OpenSSL and Shellshock which attacks Bash, part of the Unix operating system. Many IP cameras use operating systems built around these components, making them vulnerable to these and other lines of attack.
While companies are generally quick to issue patches, customers are slow to implement them, with some experts estimating that only 2% of cameras have been patched.
The dangers of having your cameras hacked are obvious, but beyond compromising the security of your surveillance system, a hacked camera can also be a gateway to the rest of your corporate network.
You can configure your network to isolate cameras from your business traffic but this requires some specialist skills to set up and maintain, meaning many networks are not protected.
The advice from cyber security experts is don’t expose your cameras to outside networks but if you must, then apply these safeguards:
- use firewalls with strictly enforced rules
- turn off remote configuration tools
- isolate your camera from internal networks so if it gets hacked (assume it will at some point), you won’t expose the rest of your network
Bear in mind that cameras are not the only IP devices so you need to understand what IP devices you have and to what degree they are exposed to external networks.