Cheap Web Cams Can Open Permanent, Difficult-To-Spot Backdoors Into Networks

An anonymous reader writes: They might seems small and relatively insignificant, but cheap wireless web cams deployed in houses and offices (and connected to home and office networks) might just be the perfect way in for attackers. Researchers from the Vectra Threat Lab have demonstrated how easy it can be to embed a backdoor into such a web cam, with the goal of proving how IoT devices expand the attack surface of a network. They bought a consumer-grade D-Link WiFi web camera for roughly $30, and cracked it open. After installing a back-door to the Linux system that runs the camera, and then turning off the ability to update the system, they had an innocent seeming but compromised device that could be stealthily added to a network environment.

I still don't get why people use these

They've learned to tape over the webcam in their laptops but this? Oh man.

You get what you pay for

[slacka]

If you the kind of person who thinks it's a good idea to place an off-brand $20 Internet connected web cam on your network, that's probably the least of your worries.

Re:You get what you pay for

I agree, but:
This article is good because it lets us (the good guys) send a link to this article to the ignorant guys (managers etc), so that a sense of urgency is formed. Then maybe we are allowed to allocate resources to protect ourselves - at least from the script-kiddies and the semi bad guys.
(For the really skilled bad guys, even many professional organisations will fail in the long run)

Re:You get what you pay for

[Barny]

There is that but this is old old old news.

https://youtu.be/B8DjTcANBx0

And back then it was even big, high quality (and price tag) cameras that were at fault.

Basically, these sorts of things must be on their own vlan and cut off from all access that isn't to the monitoring station/area.

Re:You get what you pay for

[WaywardGeek]

Here's a nice warm thought to keep everyone up at night: What is to keep hackers who enjoy this sort of thing from buying devices at BestBuy, hacking them to insert remote back doors, and then returning them to BestBuy the next day? If they put it back in the packaging, possibly with new shrink-wrap, they could claim they never even opened it, and it would go right back on the shelf for some unsuspecting victim to buy.

Would it matter if the device were a $20 webcam, a $2,000 desktop PC, a $50 Wifi router, or a $100 HP printer?

Re:You get what you pay for

[plover]

Here's a nice warm thought to keep everyone up at night: What is to keep hackers who enjoy this sort of thing from buying devices at BestBuy, hacking them to insert remote back doors, and then returning them to BestBuy the next day? If they put it back in the packaging, possibly with new shrink-wrap, they could claim they never even opened it, and it would go right back on the shelf for some unsuspecting victim to buy.

But ... that could never happen. There's yellow tape on the box assuring me that it was inspected and repackaged by Best Buy experts. Experts! And we all know only experts are permitted access to the yellow tape dispenser.

I have little doubt the same experts refurbished one of the returned washing machines I was looking at. I wanted to see how the drain filter would work so I opened it, and while I looked disgustedly at the slimy lint still trapped in the filter, about a gallon of water poured into their carpets. I guess that's what karma looks like.

Re:You get what you pay for

[Dr.Dubious+DDQ]

That's a good point, though it seems like a lot of effort to get a device into a random, unknown network at a random, unknown time.

To me, it merely emphasizes that being able to replace the OS/Firmware oneself is important, and should be done with any new device.

Doesn't really matter if Spyware McWebcam put a malware OS on the device if I'm just going to overwrite with a good firmware of my own choosing before putting it on my network.

Same goes for full computers, too, along with "smartphones" and tablets, which seem like they'd be bigger targets. One could do a lot more harm with a backdoored iPhone or Android device returned as "new, unopened" than a webcam.

Re:You get what you pay for

[rthille]

How is this different from _any_ device these days?

Re: You get what you pay for

[nuckfuts]

It's a good practice to always start by downloading and installing the latest firmware when you get your device home. In the example described here, they in claim to have disabled updates somehow. Attempting to update might at least alert you that something is amiss .

Re: You get what you pay for

It wasn't off brand. It was a damn d link consumer grade camera. D link isn't some obsecure company.

Re:You get what you pay for

Agreed - only that "these sorts of things" might be everything really.
(Depending on the level of paranoia / how interesting/valuable your secrets are)

Re: You get what you pay for

[mikael]

But how do you install the firmware? That's usually requires that you connect the device to a PC first.

webcam distro?

[ChunderDownunder]

The article mentions the d-link embeds Linux.

Is there a dd-wrt equivalent for webcams and a list of compatible models? or are these things generally tivoized?

Re:webcam distro?

[Bert64]

A lot of the cheap chinese cameras seem to be based on the same linux distro (hilinux?) with the same crummy ui on top.. I'm not sure how the frontend actually talks to the camera hardware but it's probably not through the standard linux video apis.

A lot of them run telnet by default (and you cant turn it off through the standard ui), and have a hard coded password although the password tends to vary by manufacturer. I hooked up mine to a TTL console and changed the passwords at least, but i'd love to be able to put a sensible open source firmware on them.

Re:webcam distro?

[michelcolman]

But why does a webcam have to run Linux? Why do even the simplest of devices need full blown operating systems? Can't they just program the thing for whatever it needs to do and nothing more? No wonder al these IoT-devices are full of security holes. These days, if you ask an engineer to make you an alarm clock, the first thing he'll do is slap some chips together and install Linux on it. I wish I were exaggerating.

Re:webcam distro?

[OolimPhon]

These are IP cameras, that is, a camera which runs a website that can stream whatever the camera is pointing to.

I recently bought one of these to act as a baby monitor. It needs an OS in order to run the web software and Linux is already available, so why not use it? I'm betting the configuration used chops out almost everything apart from the absolute essentials.

I have a Foscam FI8910W. The first thing to note is that initial configuration including a mandatory root password change /must/ be done using an Ethernet cable. At that point you can choose to use the wifi link or disable it; the same with uPnP. Wifi is paired with my wifi router and, as far as I can tell, only by connecting to the router with a MAC-listed client can anyone access the camera.

There is a Dynamic-DNS facility to access the camera over the Wild West Interwebs but that requires configuration which I have disabled as not required.

Re:webcam distro?

[Dr.Dubious+DDQ]

I was wondering exactly that. "So, someone with physical access to your webcam can crack it open and analyse the firmware? Gosh. I'm frightened. Someone who has connected to your internal network and knows you have a specific model of IP webcam and happens to have a canned custom firmware that they can upload to it (if you've not changed the default admin password)? Slightly frightened, but not much. But 'getting root' so I can modify and more fully control my own low-cost IP cameras? Tell me more!"

Re:webcam distro?

[mikael]

To have a device connect to the Internet, you need a network chip (NIC), and that requires a TCP/IP stack. In turn that requires some basic OS, like Linux (embedded, no GUI, printers or any other drivers except a network driver). It's more cost effective writing a driver in C/C++ on a Linux system than it is to hire a microcode/firmware engineer. A webcam does live JPG/MPG compression and streaming as well as received commands, so that requires multithreading. Try to optimize and write that in assembler/microcode would take years. It's cheaper just to buy an embedded CPU and high-level toolchain.

Re:webcam distro?

> I'm betting the configuration used chops out almost everything apart from the absolute essentials.

No, it does not. How much did you pay for that monitor? $20? $40? The thin margins and competition to be the lowest cost product (because that's what most people buy) ensures only the minimum necessary modifications get done in order to get the thing to function.

Do you really think that it is well known Linux security experts or top notch embedded engineers who are working for Foscam and their ilk? Do you really think the engineers that do work for them get the weeks of free time to tinker and research and bring those systems into a well protected, highly secure state? They don't have nowhere near the budget.

Why webcams?

Put ANY compromised hardware on your network, and it's no longer secure. This is news?

Re: Why webcams?

[DaHat]

How do you know if the device is compromised?

While you hopefully won't use one sent by a known enemy (thanks for spoiling the surprise Greeks!), how do you ensure that a unit you picked up used on eBay or Craigslist wasn't backdoored?

Opt only to buy retail or online from major vendor? Same issue. How do you know someone hasn't purchased the device, tampered with it, repackaged it with some shrinkwrap then returned it? .. Or worse, intercepted the shipment prior to you getting it?

Re: Why webcams?

[Bert64]

You don't know this for ANY device you buy..
Even if you buy direct from the manufacturer it could have backdoors (see juniper recently).
All you can do is take steps to reduce the risk like inspecting the firmware (or replacing it with open source firmware that you can inspect more closely), isolating devices from other things etc.

My CCTV cameras are not on routable ips, and don't have direct internet access or access to anything else on my network here - i can connect to a vpn and view the video feed. Aside from me not trusting the cameras, the cables for them run outside so someone could easily unplug them and attach malicious devices to the cables although hopefully that would be noticed in the last few seconds of video before the camera went offline.

Re: Why webcams?

[drinkypoo]

While you hopefully won't use one sent by a known enemy (thanks for spoiling the surprise Greeks!), how do you ensure that a unit you picked up used on eBay or Craigslist wasn't backdoored?

Easy. I reflash it with the original firmware image before use, or better yet, something superior. I pick up wireless routers used all the time. Sometimes they already have DD-WRT on them. I never, ever am tempted to use it. I always reflash them (with OpenWRT, but regardless) before use.

I also don't open holes in my firewall for this stuff. If I want to see webcam output, I'll use ipsec.

Re: Why webcams?

[DaHat]

Easy. I reflash it with the original firmware image before use, or better yet, something superior.

Unless you use a JTAG to force a flash, you are trusting the honesty/reliability of the existing software to actually update the chip, which is the equivalent of trusting that user mode AV can assure you if a machine is clean or not.

At DEFCON this year there was a demonstration of infecting the LTE modem in a tablet (OS independent) which not only would persist OS wipes, but even attempted firmware updates: https://www.youtube.com/watch?...

A long increasing problem in computing is that you don't just have a single computer, but a box full of computers, many of which run it's own software stack that most of us aren't qualified to try to validate... and it's only getting worse.

Re: Why webcams?

[drinkypoo]

While everything you say is true, that's all a long way to go to infect some random asshole's computer. There's a lot of lower-hanging fruit. If I were spending my time trying to infect things, I'd want to hack some company and infect their master image. Infecting routers and donating them to thrift stores hoping to get into an interesting network is a bit of a hopeless gambit. By definition, you aren't going to.

Re:Why webcams?

[dsmatthews9379]

Good point, and why do people always think of network, singular, when common-sense security suggest that we partition physical and information into zones or layers according to the risk the potentially posed vs the need to access services. However the problem with WiFi devices that look or listen to their environment is that while they can be blocked from other parts of your LAN they can still be compromised directly and used to invade your privacy. Why even have cameras when in many cases all you need is a $2 motion detector connected to a $2 WiFi module that can run custom (open) firmware (nodemcu)? Even when you need a camera does it need to be online or simply able to record in a loop that is saved in a secure manner, which you then physically access when you need to audit the footage?

Re: Why webcams?

[jhol13]

How do you know if the device is compromised?

It has Linux inside.

Seriously, the OS's in these systems are too buggy and make exploits far too easy. Not to mention the application programs.

Cheap.

Yep. Everyone wants cheap. Cheap, cheap, cheap.

Re:Cheap.

[Anne+Thwacks]

Cheap, cheap, cheap.

You are a sparrow, oh, wait...

Moo!

Segment the network.

[willy_me]

All questionable devices should go on a separate network segment that is isolated via a strict firewall. If I can not compile and install OpenWRT on my device, it does not go onto my main network.

Re:Segment the network.

[Required+Snark]

You're absolutely right.

And littering is illegal, as is drunk driving, speeding, taking drugs, robbery, destroying property, arson, maiming people and murder. Your seem to have the delusional belief that all it takes is pointing out that something is wrong and it will just not happen.

I've never been to that universe. I've never met anyone who claims to have been there either.

You feeling stupid yet? If you're not, then it's even more evidence that there is something really really wrong with you.

Maybe you should not be allowed to dive a car, operate heavy equipment, handle sharp objects, or be allowed out in public without responsible adult supervision.

Based on what you just said, you may very well be a danger to yourself and others. Legal action could be appropriate.

Re:Segment the network.

Thank you for your constructive comments. I really appreciate that!

Re:Segment the network.

[Aristos+Mazer]

I suggest something like an FDA or FCC that is required to give approval for any device sold in the USA that it meets security standards. There's no way most people will recognize the need for a plurality of networks, and even if they do, having a webcam on a separate network still doesn't prevent it from phoning home and sending photos of your house to criminals wanting to see if you're not there right now. Without a vetting agency of some sort, these devices are going to continuously cause problems for the USA and home security. I'm aware of the problem and can't necessarily vet a device that I'm interested in. I'd love some support in this area, be it government or corporate, although regulation certification is one of those areas where I personally would trust a government agency more.

Re:Segment the network.

" If I can not compile and install OpenWRT on my device, it does not go onto my main network."

Why the fuck would you want a ROUTER SOFTWARE to run your WEBCAMERA?

Holy fuck you're dense.

Re:Segment the network.

[JustAnotherOldGuy]

All questionable devices should go on a separate network segment that is isolated via a strict firewall.

I agree, but Joe and Jane Average will never do this or even understand the reason for doing it.

For the bad guys, the world is full of soft, delicious, blissfully unaware victims-in-waiting like them, and I don't see it getting any better anytime soon.

Re: Segment the network.

He did say "main network".

Back door not necessary

If it's a random internet-connected camera that you control, you can just use it as a camera to steal passwords.

"Smart" webcams do that

[Gaygirlie]

"Smart" webcams are always a risk, manufacturers insist on believing those devices should be available from the Internet and will try to use UPNP and other tricks to open themselves up for access from there. I have a need for a WiFi-enabled webcam that I can stream live-video from, but I was planning on just getting a ~$20 400MHz ARM-CPU WiFi-router with OpenWRT on it and a regular USB-webcam, and streaming the MJPEG - stream over RTP/RTSP -- since the video coming out of the camera is already encoded it doesn't require almost anything from the router's CPU to stream it as-is, and this way I have complete control over the entire stack and I control who and where the stream goes to.

Re: "Smart" webcams do that

Try motion. Does what you need

Re: "Smart" webcams do that

[Gaygirlie]

If you are referring to http://www.lavrsen.dk/foswiki/... with "motion" then no, it doesn't do what I need. I was talking about making a WiFi-connected streaming camera and you're talking about a library for detecting motion -- two entirely different things. You still need a source of video to detect motion in and a device to run that library on in the first place, you know? It doesn't magically work on its own. And besides, a simple PIR attached to a GPIO-port will require a whole effing lot less CPU-power in order to detect motion than doing it in software via that library.

Shouldn't matter

[Artem+S.+Tashkinov]

In a perfect corporate environment no network equipment is trusted by default, i.e. even if you install a malicious device the network will remain secure.

Nowadays, there's no other way due to BYOD: even though some companies may explicitly forbid the use of your own devices, realistically it's nigh impossible to implement which means you cannot and mustn't trust any devices on the intranet.

Re:Shouldn't matter

And for home users.. Most mobile and desktop OSs are now "internet safe" by necessity. People take computers and phones to airports, coffee shops and other public places, and they need to resist the attacks. A compromised device on the LAN gives attackers direct access to some ports which are normally not available, but threats against home users seem to have shifted from attacking local services to attacking clients such as the web browser (pull based malware). I suppose one could argue the reverse, that successful protection of the LAN could have forced the malware authors to the more difficult option. Either way, the things at the greatest risk are sloppily made electronics which make assumption about the security of the LAN. Probably a lot of "smart devices". These things are at an early stage of development, and people will go through many iterations as they become obsolete. Hopefully, the manufacturers will make them safe against threats on the local network soon. For non-essential controls, like lighting, it's not even stupid to use the LAN as a boundary of trust -- worst case is that a hacker can turn the light on and off. However, the devices should be made safe against remote code execution, DoS, etc.

Re:Shouldn't matter

[Lumpy]

Yes there is.

Step 1 go to the CTO's office and kick him square in the nuts. Go to the CIO's office and do the same. While you are kicking them in the nuts keep repeating.. "quit being a dumbass and stop saying BYOD. BYOD is a security hole and I will kick you in the nuts until we stop this stupid policy.

Step 2 once they see the light, go to the CEO's office and repeat.

Re:Shouldn't matter

Except that it's really:

Step 2 Enjoy your tasing and jailing.

Step 3 Have a nice job hunt with that criminal record.

BYOD is here to stay, you'd better get used to it. Trying to stop it is like standing on a train track waving your arms to stop an oncoming bullet train.

Webcams just an example ANYTHING that runs OpenWRT

[petes_PoV]

If you want to know what consumer devices pose a security threat (whether cheap or expensive, webcam, router/modem or other device), just look at the list of devices that other people have loaded some version of a Linux based O/S on to. These are the devices that can be easily subverted. If your organisation is sensitive to security threats, the list of "hackable" devices should also be your list of products that should never be allowed to connect inside your company's security fence.

Of course, there's probably a "dark" list of devices that can be hacked - just not by kiddies with a simple PC. Ultimately, nobody can defend against them.

Block off access to the internet

I have a cheap Chinese made ip camera and the first thing I did was ensure that it did not have access to the Internet. Sure it can access the local network and try to do something malicious if the firmware is programmed to do so but it won't be able to phone home.

Re:Block off access to the internet

[Anne+Thwacks]

I have a cheap Chinese made ip camera and the first thing I did was install my own backdoor

That was the whole point of buying it!

Re: Block off access to the internet

Why would you buy an IP cam and block it from the Internet?

No need to crack the camera

[WoOS]

There is currently a report by a German computer magazine (no so good Google translation) where IP cameras sold by a large German supermarket chain had an awfull standard configuration in
a) Not asking for a new password for external access and
b) automatically opening (via UPnP) an existing firewall.
Seemingly even after an update there are still hundreds of these cameras reachable on-line.

So one does not have to wait for a malign party to 'crack' a camera. Insufficient security knowledge at manufacturer and user is enough.

Linux webcam compromised ..

[tetraverse]

"Limitations to this type of attack are obvious: attackers must be skilled enough to create a backdoored flash image, and find a way to deliver it to the device - either by "updating" an already deployed device, or by getting their hands on it before it's installed." ref

cheap transistors do that

Yeah, I still can't get over that a 1995 era win 95 computer, minus hard drive, can cost less than one dollar to fab today. It's fucking ludicrous. Whereas, software is as expensive as ever. So, you need something to control where a webcam is aimed? Slap in an entire PC. Done.

Re:cheap transistors do that

[Anne+Thwacks]

a 1995 era win 95 computer, minus hard drive, can cost less than one dollar to fab today.

Or you can buy a second hand one with the 40MB hard drive still in it for the same dollar! (Might cost $5 per month for the electric bill, though).

You might want to update to WIn98 - or NetBSD for security: I can't imagine MS trying to install Win10 on it will leave it working.

Nothing surprising...

You're buying a webcam, you're already exposing yourself.

IoTcattack surface area

[WOOFYGOOFY]

Researchers from the Vectra Threat Lab have demonstrated how easy it can be to embed a backdoor into such a web cam, with the goal of proving how IoT devices expand the attack surface of a network

This needed to be proved?

Don't know enough about available cameras,

[jenningsthecat]

so I'll ask the question. Aren't there USB cameras available with sufficiently high resolution and sufficient light sensitivity to do the job? If so, couldn't one install a secure configuration of Linux on an SBC, (a Raspberry Pi perhaps), pack it into a suitable enclosure, and call the job done?

Granted, the camera might take a little longer to boot up than a purpose-built one, but in many cases that won't be much of a disadvantage. Also, non-geeks aren't going to put these things together. So maybe there's a business opportunity here to package a customized OpenWRT-based SBC with an off-the-shelf USB camera and sell 'truly secure' security cameras? Just a thought...

Re: Don't know enough about available cameras,

USB 2 doesn't have the bandwidth to handle a high-res, high-framerate stream. There's not enough power/CPU to do any serious compression, and having to decompress it to do motion detection or transcoding afterwards is a waste.

Re:Don't know enough about available cameras,

[Lumpy]

So tell me where you can get weather tight USB cameras that will work on a 60 foot long cable run. If you really want to roll your own, get raspberryPi's and the camera modules. and write your own software for them as network cameras. that way you know what is running on them.

Re: Don't know enough about available cameras,

[Gaygirlie]

There's not enough power/CPU to do any serious compression, and having to decompress it to do motion detection or transcoding afterwards is a waste.

Depends on what you connect the camera to. An RPi, for example, can encode the video in H/W and thus the CPU is free to do anything else. You could also do motion-detection before encoding, or you could use an actual infrared-sensor to handle motion-detection and thus the CPU could just sit idle.

People Missing The Real Issue

People seem to be getting lost in the weeds on this story. This issue isn't that webcams or any IoT device is a risk if it contains a backdoor. That's obvious and not new.

The real issue is that SO many of these webcams and IoT devices are intentionally exposed to the internet while having poor security and virtually no updates from the manufacturer. This leaves a plethora of devices directly exposed to the internet just waiting to be rooted by various vulnerabilities and then malicious actors have full access to your LAN.

This isn't new. But the volume has been turned way up. The number of installed devices is huge and getting bigger every day. The number of products being rushed to market by inept startups is ridiculous as is the number of companies that are failing leaving installed devices never to be updated.

And, don;t fool yourself thinking that it's only the camera management apps that are risky. Just recently an openSSH vulnerability was found, as others in the past. How many IoT devices are running vulnerable openSSH or DropBear and will never be patched?

Your super secure network is totally owned the moment some Chinese IP camera or wireless media player or TV stick phones out.

Router lockdowns and monitoring

[Todd+Knarr]

This is one reason to segregate devices and have firewall rules that control which devices can make outgoing connections. That way you can insure IoT and other devices that have no business talking to the Internet can't talk to the Internet.

I also run a monitoring job that collects MAC addresses and associated IP addresses from the router's ARP cache and reports on unexpected changes. It doesn't make it impossible to slip a device onto my network without it being noticed, but it takes a fair amount more work that the likely intruders won't be putting forth. It also helps find the MAC addresses of new equipment that doesn't like to say what it's MAC address is.

Re: Router lockdowns and monitoring

If your switch supports it, enable port security and tie it to a single Mac address if you're concerned about Mac changes or spoofing. Different Mac address attempts to talk across the port, the switch will simply shut the port down.

Agree with segmenting your network though. Even the home network. Firewall / ACL rules at the edge to prevent specific devices or even entire subnets from getting back out on the internet.

Take it a step further and prevent Vlans from talking with one another unless they really need to.

Instead of exposing the camera directly to the net, connect to the home network via a vpn and connect to your device that way.

UPnP

Who in their right mind leaves UPnP enabled in an internet-facing device like a router?

Re:Webcams just an example ANYTHING that runs Open

[sinij]

Did you know that it is possible to hack hard disk controller and have it dial home and leak data? Know-how is way beyond hacking web cams.

Easy to protect against.

[Lumpy]

I have several 1080P Onvif china security cameras that are known to send video back to China. it is trivial to make these 100% secure and hacker proof disabling all backdoors if you have education and knowledge.

At home, I can see people having the problem as 99% of all citizens are IT Uneducated. but a business? there is ZERO excuse.

I put them on their own VLAN separate from everything else, they can only talk to the recorder PC and that PC can talk to both networks so we can view the camera streams. Camera VLAN has zero access to the internet, Recording PC that is straddling two networks has simple rules as well to prevent data leaking.

And this is the sad part. Most businesses don't have competent IT that even has the first clue about network security. Plus you should ALWAYS have no trust for any device on your network. Treat them all as hostile and only let them have what is needed to do what you want.

Businesses that don't spend money on IT that is competent deserve what they get.

Re:Easy to protect against.

[petes_PoV]

it is trivial to make these 100% secure and hacker proof disabling all backdoors if you have education and knowledge

Good. So it will be trivial for you to post a link to the source of your knowledge. Please .... don't be shy.

Re:Easy to protect against.

Here you go:

wired:
Secure connection

wireless:
Extra secure

Re:Easy to protect against.

[davidshewitt]

Putting stuff like this on a separate VLAN is always a good idea to protect against unknown backdoors. To protect against known backdoors, I prohibit those devices from connecting to any of my networks at all.

Re:Easy to protect against.

What about Airbnb? That's a business... but it's also a home! And then there's Uber, which is a business... and a car!

Re:Easy to protect against.

[tlhIngan]

And this is the sad part. Most businesses don't have competent IT that even has the first clue about network security. Plus you should ALWAYS have no trust for any device on your network. Treat them all as hostile and only let them have what is needed to do what you want.

Businesses that don't spend money on IT that is competent deserve what they get.

Most businesses can't afford an IT person. Most businesses have internet access, usually provided to give customers free wi-fi and provided at a low or highly discounted rate to the business so they could do things like handle emails and social media.

So you're talking about an owner, a couple of managers and maybe 6 or 7 employees, maybe a couple of computers for office work and social media promotions, and perhaps a few tablets scattered through the store for POS or employee access.

They will likely buy a cheap webcam and use it for surveillance and maybe even a webcam on their website. And they have no way to configure a "vlan" or anything else because their ISP providing the access gave them a preconfigured wireless router - the most "IT help" they got was the technician who came in and asked what they liked their private wifi password to be.

And most other businesses are the same - they're just too small to really care about IT, especially when it's really just a couple of PCs and tablets and smartphones.

Re:Easy to protect against.

[Lumpy]

www.google.com

Start searching and reading about ethernet, routing, VLANS, and firewalls. Then go from there reading about network security.

Re:Easy to protect against.

"Most businesses can't afford an IT person. "

And they get exactly what they deserve.

Re:Webcams just an example ANYTHING that runs Open

[Gaygirlie]

If you want to know what consumer devices pose a security threat (whether cheap or expensive, webcam, router/modem or other device), just look at the list of devices that other people have loaded some version of a Linux based O/S on to. These are the devices that can be easily subverted. If your organisation is sensitive to security threats, the list of "hackable" devices should also be your list of products that should never be allowed to connect inside your company's security fence.

That's a stupid argument. The devices where it's easy to replace the firmware are also the ones that are the easiest to make sure they are secure, just replace the firmware yourself and then you can do anything you want to make it as secure as ever possible. The more closed the device is the less you can actually do to secure it!

No need to crack it open, the firmware is GPL...

Way to make it complicated for no reason whatsoever... why not just download the GPL licensed open source firmware from DLink, make desired modifications and compile it? The camera will happily accept custom firmware. I know because I've used this method to enable telnet access and add custom features to my DLink cameras.

This is just sensationalist bullshit. Pretty much any device can be made into an attack vector if the hacker has access to it's admin interface... no need to crack anything open.

Firmware can be found here: http://tsd.dlink.com.tw/downloads2008detail.asp

Backdoor them

Just put a backdoor in every device. Then this government agency can just scan and remotely verify that the device is safe.

I thought everyone said Linux is secure

What happened?

Beware houseguests

[illtud]

What about services which allow you to admit houseguests with access to your network? There's already been an accusation of an AirBNB host leaving surreptitious webcams about: http://observer.com/2015/01/co... ...but it would be pretty simple for an unscrupulous guest to leave hidden cameras about to stream other guests' activities.

I predict a business model in selling modified routers or network attached devices that search for network behaviour indicating this.This is a specialised subset of IDS I guess. I could secure my own setup, but I kinda know what I'm doing, but I don't see 99% of hosts being able to do this, so get going, entrepreneurs! I could see an AirBNB API certifying LANs...