Are your IP cameras: an open door to cyber attack?
IP cameras and other networked security devices are creating a potential cyber security risk in their own right, due to misconfiguration, user error and in some cases flaws in the devices and software itself.
You may already be familiar with the threat that so-called web cameras can pose to security. Cameras connected to the internet can be hacked, giving the attacker the ability to view your cameras and in some cases take control of them as well.
In many cases, this is due to simple user error – a failure to change the default passwords – giving the hacker an easy route into your system. It’s estimated that hundreds of thousands of cameras worldwide have been left in default mode, effectively broadcasting their content to the internet.
There are even websites and search engines devoted to helping casual voyeurs find and view these cameras. We highlighted this problem in a recent post on SecurityNewsDesk (“Private Cookstown CCTV Cameras Hacked”) which revealed that in one instance, hackers were able to watch a sleeping child in his bed.
As frightening as this sounds, you may feel that you are not at risk because you have changed your default password and your cameras sit on a network behind a firewall. Unfortunately in the world of cyber, things are never as cut and dried as that.
Researchers at the security firm Qualys last year demonstrated at an international security conference, Hack in the Box in Amsterdam, that web-based administrative tools make web cameras inherently insecure.
Using a search engine called Shodan, they were able to find tens of thousands of wireless IP cameras, 20% of which would authenticate you – that is, give you access to view and change settings – using just the username “admin”.
However, even where the password had been changed, many cameras were still vulnerable to the brute force approach in which the attacker runs through a dictionary of thousands of common or easy to guess passwords until he finds the right one.
If that doesn’t work, hackers can turn to other exploits that are well documented on the internet including path traversal which allows you to bypass the authentication functions and access vital data including in some cases passwords. In the case of the specific camera the researchers were hacking for their demonstration, a patch had been created to fix this vulnerability but it had only been applied to 1% of cameras.
Further attacks can be used to access the camera but perhaps more worrying for system owners is that once they have hacked the camera, they have gained access to the local network as well, which would provide a stepping stone to attack other devices including PCs and servers.
If all of this seems too technical for you, rest assured: the researchers have created a tool that automates most of the attack techniques.
Bash attack
One might think that these are problems that only affect the naïve, the unwary and the careless. However, fundamental flaws in the architecture of some of the most common operating systems is leaving not only cameras but other IP-enabled security device vulnerable to attack.
Two vulnerabilities recently discovered include Heartbleed and Shellshock.
If you use SSL/TLS to provide communication security – and who doesn’t? – then the Heartbleed bug is something for you to be concerned about. According to heartbleed.com, “The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet.”
SSL/TLS secures communications for applications as diverse as web, email, instant messaging and virtual private networks. OpenSSL is widely used but is by no means the only SSL solution available, therefore you have to understand whether your devices use OpenSSL to determine whether you might be vulnerable.
Pelco, for instance, issued an advisory following the discovery of Heartbleed, to let its customers know that its cameras were not vulnerable because they use the Windows SSL system. However, other companies including Cisco and D-Link that use OpenSSL have issued advisories and firmware updates, so if in doubt, contact your camera manufacturer.
Just as the IT community was getting to grips with Heartbleed, another security flaw was discovered in the Unix operating system, which is the basis of the Linux operating system. Bash is a component of Unix which processes commands, and by exploiting the flaw in the code, users can execute arbitrary code given certain conditions.
Like Heartbleed, some IP devices are vulnerable and others are not. Axis Communications for instance was able to explain that its cameras are not vulnerable because they don’t use Bash. Others that aren’t affected include Mobotix, Vivotek, Arecont Vision, Panasonic, Lilin, Sony and Canon.
NUUO and QNAP have issued fixes and updated firmware.
There are simple tests you can run on your cameras to determine whether they are vulnerable which involves sending a simple command to your camera. A network engineer can help you test your cameras and apply any necessary patches.
The best advice from security experts would include not exposing your cameras to an outside network, but if you must, then ensure that you use a firewall with strictly configured rules, turn off remote configuration tools and isolate the camera from the internal network so if it gets hacked (assume it will), you haven’t inadvertently provided hackers with a gateway to your entire network.
