BitDefender malware and IoT (Internet of Things) have uncovered that new smart webcameras can be hijacked and used for spying purposes.
IoT Cams Can Become Rogue
Researchers from BitDefender have uncovered the troubling fact the new IoT (Internet of Things) smart web cameras can be hijacked and used by hackers to spy on the unsuspecting users. The experts have used a popular model that is described as a feature-rich monitoring device for homes and small businesses . It includes a motion and sound detection systems, two-way audio, built-in speaker and microphone, built-in selectable lullabies, temperate and humidity sensors, as well as a microSD/SDHC slot. It can be used for both surveillance purposes and a baby monitor, providing communication between the parent and their child.
The device setup is typical for this type of devices – a hot spot is created during the initial configuration via a wireless network. Once the installation is complete a mobile application tries to establish an active connection with the camera’s hot spot. After detection the app connects automatically to it when within range. The next step is to set up the secure credentials to the home network.
The security analysis has shown that there are some serious security issues with the device. Upon initial configuration the hot spot is created without a password. The network credentials are also transmitted in a plaintext format, allowing anyone in range to freely hijack the information. All communication is encoded with a simple cipher and no encryption is used.
When the mobile application connection is made from external network it is authenticated through a Basic Access Authentication mechanism. This is considered a very insecure method unless used with another security measure such as a SSL implementation. The account credentials are transferred through the Internet in an unencrypted format. The authentication on the device itself is based on MAC addresses which are very easy to spoof.
The remote attackers can also opt to use various push notification hacks to acquire the password in a quicker way.
BitDefender suggests everyone to follow these steps before considering buying or installing such devices in their home or office environment:
- All users considering such devices should make an in-depth research of their security features and if the vendors take these aspects seriously.
- The system administrators who are handling the implementation of the web cameras should make sure that they know how they operate. This includes knowledge of the types of data that is stored on the local memory and over the Internet. A privacy risk assessment should be made before taking into consideration such options.
- The device owners should read and understand the full contents of the privacy policies before activating and using the devices.
- All users should invest a cyber security solution that is designed to work with IoT (Internet of Things) devices.