With approximately 5.5 million new devices being connected to the Internet everyday, the Internet of Things presents the biggest security challenge to date for IT professionals. Essentially, an IoT device that’s not secured can easily fall prey to hackers, and with so many different devices being connected, it’s easy to overlook a device or two, like your security cameras.
The creepy risk associated with not securing an Internet-connected security camera was recently reported on by Lisa Vaas of Naked Security. In her article, “DVR snaps stills from CCTV surveillance and sends them to China,” she presents findings from researchers at UK-based Pen Test Partners about the security holes found in the Internet of Things.
For the study, Pen Test Partners researchers analyzed data from Shodan, which is essentially a search engine for Internet-connected devices, like buildings, smart appliances, webcams, and much more. In particular, the researchers used Shodan to look at Internet-connected surveillance cameras.
Before we go into the technicalities of what they found, let’s take a step back and warn everybody who uses a webcam or Internet-connected surveillance camera that even a novice PC user can create a free account with Shodan and use it to search for, access, view, and even control unsecured cameras. We were skeptical of this claim when we first heard about it, but the proof is in the pudding. Check out these stills from random surveillance cameras we came across on Shodan:
These cameras are just random ones that we stumbled upon. However, Shodan has been criticized for giving its users easy access to cameras that are sensitive in nature. Vocativ cites findings by Ars Technica:
These webcams show feeds from sensitive locations like schools, banks, marijuana plantations, labs and babies’ rooms. Shodan members who pay the $49 monthly fee can search the full feed at images.shodan.io. A Vocativ search of some of the most recently added images shows offices, school, porches and the interior of people’s homes. Accompanying each of these grabs is a pinned map that shows the location of the device capturing that footage.
If that doesn’t creep you out, then lets go back and take a look at the even-more-in-depth findings of the first study we mentioned by Pen Test Partners. Vass reports:
The device also has no Cross-Site Request Forgery (CSRF) protection, so attackers can trick users into clicking on links to carry out malicious actions; it has no lock-out, so attackers can guess as many passwords as they like; it sends communications without HTTPS that can be intercepted and tampered with; and there’s no firmware updates, so “you’re stuck with these issues,” Pen Test Partners said. But weirdest of all, the thing is capturing still images from video feeds and emailing them to an address that appears to be hosted in China.
As far as why surveillance images were being sent to China, that’s a mystery that Pen Test Partners was unable to get to the bottom of. We could speculate as to what’s going on here, but at the risk of letting our imaginations run wild and sounding like conspiracy nuts, we won’t. Instead of making wild speculations, we want to communicate that we’re here to help your company secure all of its Internet-connected devices from the prying eyes of everyone on the web.
Are you confident that all of your IOT devices are secure enough to keep hackers out of your network? Do you even know if you have IoT devices on your network transmitting data across the web? Or at the very least, are you sure that random Shodan users aren’t making a highlight reel from your surveillance camera footage? To get a grip on the security of every Internet-connected device on your company’s network, give NuTech Services a call at 810.230.9455.
