Someone Is Taking Over Insecure Cameras and Spying on Device Owners (bleepingcomputer.com)

← Back to Stories (view on slashdot.org)

Someone Is Taking Over Insecure Cameras and Spying on Device Owners (bleepingcomputer.com)

Posted by msmash on Friday June 22, 2018 @02:00AM from the closer-look dept.

As security webcams, security cameras, and pet and baby monitors become part of our lives, their underlying technology is increasingly receiving scrutiny from researchers. Many of these devices are woefully insecure, and an attacker could -- and in some cases, has -- take over these devices to perform internet scans, among other things. BleepingComputer's Catalin Cimpanu dives into the subject: In the last nine months, two security firms have published research on the matter. Both pieces of research detail how the camera vendor lets customers use a mobile app to control their device from remote locations and view its video stream. The mobile app requires the user to enter a device ID, and a password found on the device's box or the device itself. Under the hood, the mobile app connects to the vendor's backend cloud server, and this server establishes connections to each of the user's device in turn, based on the device ID and the last IP address the device has reported from.

57 comments

Min score:

Reason:

Sort:

'Someone'? by Anonymous Coward · 2018-06-22 02:02 · Score: 1

This indicates that it's a rare or relatively small occurrence, when in reality this is happening by thousands of people at any one moment. Stop buying terrible insecure public-facing IP cameras!
1. Re:'Someone'? by AHuxley · 2018-06-22 02:14 · Score: 2
  
  Lets stop the few big search engines from displaying the needed search results to find any such networks.
  When nobody can find the open networks, then the wide open IoT networks are not going to be accessed.
  
  Nobody can design their own internet search engine to scan global networks.
  Even if some smart person could design the method to run their own search engine they could not buy the bandwidth needed.
  A person with the smarts and bandwidth would need a lot of time to collect such IoT data globally.
  No search results and security is improved for all...
  Stop collecting any IoT related network results.
  
  --
  Domestic spying is now "Benign Information Gathering"
2. Re:'Someone'? by Sique · 2018-06-22 02:27 · Score: 2
  
  Nobody ever wrote a network scanner which just looped over all IP addresses. Can't happen. Was never done.
  
  --
  .sig: Sique *sigh*
3. Re:'Someone'? by Anonymous Coward · 2018-06-22 02:35 · Score: 0
  
  You severely overestimate the resource needs for this. A few thousand micro cloud instances could be used to do the actual scanning, and the bandwidth isn't prohibitive if you send less than a few kilobytes doing a basic scan over the whole public IPv4 internet space. The bandwidth would be in the low TBs and that isn't that expensive.
4. Re:'Someone'? by Anonymous Coward · 2018-06-22 02:36 · Score: 0
  
  Totally agree, which is why I only buy cameras that say "I'm totally secure, yo!" on the box. 100% Internet-secureness Guaranteed!
5. Re:'Someone'? by 110010001000 · 2018-06-22 02:38 · Score: 1
  
  Exactly. It isn't as if you can scan entire networks looking for open ports using a simple shell script. You would have to be a genius to do that, and we all know all those guys work at Google. Solution: shutdown Google. Problem solved.
6. Re: 'Someone'? by nnull · 2018-06-22 02:39 · Score: 2
  
  I've installed Hikvision cameras in my warehouse. They are pretty neat cameras for the money, with h265 support and nice resolutions, saving you A LOT of data storage. But they are seriously unsecured. All of them are inside a VLAN that doesn't allow traffic to the internet or the rest of the network. Despite that, Hik-Connect works just fine through a VPN, so I don't know why you need this stuff uploading to the "Cloud".
  But despite all these simple things you can do to secure these security cameras, nobody else does it. Security camera installers put these damn things open to the internet so their customer can easily access it from outside networks without realizing so can I. You'd be surprised how many places I have access to now, like other warehouses, manufacturers, and *cough* competitors, because security firms are such absolute failures in security.
  You'd think if you're going to spend 50k or more on security cameras that people would bother to secure them?
7. Re:'Someone'? by 110010001000 · 2018-06-22 02:39 · Score: 1
  
  It might be possible today now that we have Deep Learning Neural Network AI powered by the Cloud. But it was totally impossible to do before that.
8. Re:'Someone'? by houghi · 2018-06-22 02:43 · Score: 2
  
  I tried it once, but do you have ANY ide how hard it is to type them all in?
  
  #!/bin/bash for I in 0.0.0.0 0.0.0.1 0.0.0.2 0.0.0.3 0.0.0.4
  
  I typed it in till 0.255.255.255 and did a trestrun. Nothing.
  
  --
  Don't fight for your country, if your country does not fight for you.
9. Re:'Someone'? by Anonymous Coward · 2018-06-22 03:01 · Score: 0
  
  This indicates that it's a rare or relatively small occurrence, when in reality this is happening by thousands of people at any one moment. Stop buying terrible insecure public-facing IP cameras!
  I'm posting this using my neighbor's ESS-only wifi camera. :)
10. Re: 'Someone'? by Anonymous Coward · 2018-06-22 03:07 · Score: 0
  
  But despite all these simple things you can do to secure these security cameras, nobody else does it. Security camera installers put these damn things open to the internet so their customer can easily access it from outside networks without realizing so can I.
  The problem is the people who install security cameras probably know nothing at all about computer security.
  There are entire websites which allow you to view random, unsecured video feeds from security cameras, because so many of them have so little security it isn't funny. For example, this.
  
  You'd think if you're going to spend 50k or more on security cameras that people would bother to secure them?
  And yet, time and time again we see these stories of this internet connected stuff where it's completely open to the world, utterly insecure, and the owners are apparently oblivious to this fact.
  At this point, if it's internet connected, you really need to assume it's insecure as hell.
11. Re:'Someone'? by Anonymous Coward · 2018-06-22 05:32 · Score: 0
  
  You kid, but if we had IPV6, you'd be correct.
12. Re:'Someone'? by Anonymous Coward · 2018-06-22 05:40 · Score: 0
  
  I bought one of these cameras. They make use of AWS for the cloud servers. While running wireshark I noticed someone from Austin, Texas logging into my camera even though it was password protected.
13. Re:'Someone'? by mikael · 2018-06-22 05:41 · Score: 1
  
  You mean shodan.io
  https://www.shodan.io/
  
  --
  Vintage computer adverts: http://www.vintageadbrowser.com/computers-and-software-ads
14. Re: 'Someone'? by Chelloveck · 2018-06-22 06:24 · Score: 1
  
  You'd think if you're going to spend 50k or more on security cameras that people would bother to secure them?
  Why? From the installer's point of view actually securing the cameras is a lot more work and raises the cost. Cost is the driving factor in the consumer's mind, and most consumers have no way to evaluate the security. So an installation that's actually secure costs much more than an installation that merely claims to be secure. A secure system also generates a lot more service calls. "Help! I lost my password! What do you mean, you can't tell me what it was? What the hell am I paying you for?!" Convenience trumps security almost every time.
  
  --
  Chelloveck
  I give up on debugging. From now on, SIGSEGV is a feature.
15. Re:'Someone'? by Anonymous Coward · 2018-06-22 07:21 · Score: 0
  
  Believe me: if I could find a proper app for a smartphone and a firmware update for my camera then I'd LOOOVE to have the cam stream to an non-internet-connected router and have that router ONLY wi-fi it to my phone! All I want is something to let me be able to carry a cheap smartphone (not even ON a carrier) around the house with me and be able to operate/talkthru/record/motion-snapshot the camera without the world having access.
  Being able to remote lock/unlock a door while I'm (usually) in the wheelchair (on another floor) would be a plus too! But EVERYTHING out there DEMANDS you to be internetted...
16. Re:'Someone'? by Hognoxious · 2018-06-22 07:24 · Score: 1
  
  Quite. It's closer to everyone.
  
  --
  Confucius say, "Find worm in apple - bad. Find half a worm - worse."
17. Re: 'Someone'? by d0rp · 2018-06-22 07:45 · Score: 1
  
  so I don't know why you need this stuff uploading to the "Cloud".
  The only real reason I've been able to come up with for why you want to upload your home security video to "the cloud" would be to have an off-site backup so you have a way to look at the video and see who burned your house down. A reasonable solution to that would be to have it periodically encrypt the footage and upload it to some general "cloud" storage solution where only you have the key to unlock it. Why anyone would want to have a camera in their home watching them all the time being uploaded and controlled by a third-party company baffles me.
18. Re: 'Someone'? by Anonymous Coward · 2018-06-22 07:47 · Score: 0
  
  There's your problem. You are using a shit IDE ;)
19. Re: 'Someone'? by Anonymous Coward · 2018-06-23 00:27 · Score: 0
  
  You can scan the whole internet (ipv4) for one port in around 10mins with a gigabit port. The infrastructure to run this kind of scan will lost you less than 100$ monthly.
  In this case no such scanning is needed since the vendor platform API is abused.
Unsecured by Anonymous Coward · 2018-06-22 02:07 · Score: 2, Informative

Please use the right term. I know the other can mean it but..ugh
1. Re:Unsecured by Anonymous Coward · 2018-06-22 02:37 · Score: 0
  
  /. is all about the feelz these days.
  We need to be accepting of the poor, insecure cameras. And anyone who self identifies as a camera. Who are we to say that a struggling camera is insecure or unsecured?
2. Re:Unsecured by forkfail · 2018-06-22 02:45 · Score: 1
  
  Seriously, this should not have been downvoted.
  That a request for precision in technical language is considered troll worthy on /. is about as sure a sign that we're gonna get that this place has well and fully jumped the shark.
  
  --
  Check your premises.
3. Re:Unsecured by ClickOnThis · 2018-06-22 04:14 · Score: 1
  
  This. Don't anthropomorphize cameras. They hate that.
  
  --
  If it weren't for deadlines, nothing would be late.
And with the previous story by Chris+Mattern · 2018-06-22 02:14 · Score: 1

We now can have hackers tapping all those cameras in schools!
What's old is new again by Snotnose · 2018-06-22 02:14 · Score: 3, Interesting

30 years ago I was sysadmin for a network of maybe 20 Sun workstations. We got some new machines, naturally the boss got the first one. Found out about the mic and told the boss this might be a problem. He asked "why? It can be useful". I asked him to give me a minute, then call someone into his office and small talk for a minute. I went to my cube, logged into his machine, recorded him for a minute or so, then mailed him the audio file.

Spent the next couple hours opening up these brand new workstations and clipping a wire.

Why yes, I do have tape over my laptop camera. Why do you ask?
1. Re: What's old is new again by Anonymous Coward · 2018-06-22 02:51 · Score: 0
  
  Are you trying to argue against yourself?
  You were the admin *and* had physical access! Did you remove windows and doors too because somebody might open them for you because he knows you and you asked, or you simply had a key,and you went in through them and filmed the room?
  How bad are you at /actually/ keeping the intranet (and thereby microphone) safe? Or is your boss a retard who hires untrustworthy psychos? What's your shitty excuse?
2. Re: What's old is new again by Anonymous Coward · 2018-06-22 03:11 · Score: 0
  
  >a REAL admin can reduce risk to almost Zero
  Oh good, that will make the feature value of Zero mathematically worthwhile.
3. Re: What's old is new again by Anonymous Coward · 2018-06-22 03:14 · Score: 0
  
  Breath in, breath out. Now take your meds and go have a nap.
4. Re: What's old is new again by Anonymous Coward · 2018-06-22 04:44 · Score: 0
  
  Physical access is a thing. Corporate espionage is a thing. Breaking and entering is a thing.
  What kind of idiot are you? This happens all the fucking time.
5. Re:What's old is new again by mikael · 2018-06-22 05:42 · Score: 1
  
  You could do that with SGI workstations as well. Login remotely, take a framegrab of the camera and record the microphone.
  
  --
  Vintage computer adverts: http://www.vintageadbrowser.com/computers-and-software-ads
6. Re:What's old is new again by Anonymous Coward · 2018-06-25 18:23 · Score: 0
  
  Do you tape the cameras of your phone? How about the microphone?
It's me. by Anonymous Coward · 2018-06-22 02:18 · Score: 0, Troll

I just do it ... uum ... for your /security/.
That usually makes you swallow ALL the shit. So we're good, right?
Note to self: by Anonymous Coward · 2018-06-22 02:21 · Score: 0

"Never go into anyone else's house ever again."
This story answers the question asked... by forkfail · 2018-06-22 02:32 · Score: 5, Insightful

... in the previous story: Should facial recognition cameras be in schools?

--
Check your premises.
Actual non-default passwords though! by Anonymous Coward · 2018-06-22 02:40 · Score: 0

It is a step in the right direction for once that the cameras have passwords that aren't just admin/admin or guest/guest.
Re: Foscam by nnull · 2018-06-22 02:43 · Score: 1

No h265. All those Chinese cameras actually offer better capabilities than Foscam.
More IoT crap ... by Anonymous Coward · 2018-06-22 02:44 · Score: 0

Good lord but these vendors must be lazy and incompetent idiots.
These are products driven by marketing, but with terrible engineering.
If you can access it from the internet, chances are someone else can. And, from the sounds of it, the company who made them could themselves spy on any of these cameras because they have all of the information needed to login.
No thanks, you can keep your crappy internet connected stuff.
This is nothing new... by ewhenn · 2018-06-22 02:46 · Score: 1

Proper security is to drop traffic by default, white list what you need. You never truly know what your devices will try to do. As an example fitting to this article, I installed security cameras outside my home and linked them to a linux based PVR for the interface/recording. I noticed that my firewall was dropping tons of data from the IPs assigned to the cameras. A quick dump of the traffic uncovered all cameras trying to connect out to a pair of IPs hosted on amazonaws. I never asked or gave consent for this to happen. The same thing would go with any other network device really, I don't want it to have access to the Internet unless I explicitly give it access.

master@EdgeRouter:~$ sudo tcpdump -i eth0 host 192.168.1.248
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
22:13:46.947684 IP 192.168.1.248.58611 > 192.168.1.1.domain: 895+ A? www.nwsvr1.com. (32)
22:13:46.948215 IP 192.168.1.1.domain > 192.168.1.248.58611: 895 1/0/0 A 54.247.103.91 (48)
22:13:48.191871 IP 192.168.1.248.14620 > ec2-54-245-98-57.us-west-2.compute.amazonaws.com.32100: UDP, length 4
22:13:48.192026 IP 192.168.1.248.14620 > 123.56.159.92.32100: UDP, length 4
22:13:48.192104 IP 192.168.1.248.14620 > ec2-54-217-201-148.eu-west-1.compute.amazonaws.com.32100: UDP, length 4

Do you want your devices to serve you, or do you want your devices to serve the device maker or some other random person due to insecurity? It might seem extreme to some but as far as I'm concerned the only sane thing to do is treat *every* device as hostile until you know otherwise, drop all packets with a hardware firewall by default, and only approve the traffic you want to go out.
1. Re: This is nothing new... by nnull · 2018-06-22 02:51 · Score: 1
  
  I buy them for their capabilities. I block them all automatically expecting them to be unsecured or calling home. That's the nature of things right now. Device makers are trying to make an easy plug and play device for customers while at the same time creating a device that's just completely unsecured. Because making a device difficult to use to normal people doesn't sell.
No way? by DalM · 2018-06-22 02:56 · Score: 1

You mean putting an always on, always connected streaming camera in your home is a privacy and security issue?
I just can't believe that.
Spotted the teenager by Anonymous Coward · 2018-06-22 03:14 · Score: 0

is your boss a retard
Spotted the teenager.
Re: Boners! by CaptainDork · 2018-06-22 03:33 · Score: 0

And yours is in your head.
The other one.

--
It little behooves the best of us to comment on the rest of us.
"Someone"? by MonteCarloMethod · 2018-06-22 03:50 · Score: 1

This title feels to me like the time I heard that "The Nigerian Prince scam has been shut down". The? The? The? Does anyone actually believe that any of these things are due to one bad actor?
Harmless curiosity by hyades1 · 2018-06-22 04:08 · Score: 1

So does Scarlett Johansson have a baby monitor?
Asking for a friend.

--
I've calculated my velocity with such exquisite precision that I have no idea where I am.
1. Re:Harmless curiosity by Anonymous Coward · 2018-06-22 05:55 · Score: 0
  
  So does Scarlett Johansson have a baby monitor?
  Asking for a friend.
  I remember when me and my sister were young, we used to listen to baby monitors and cordless phones on my dads scanner.
  It was a good time.
2. Re:Harmless curiosity by hyades1 · 2018-06-23 05:13 · Score: 1
  
  A buddy of mine used to set their baby monitor up in the rec room. It picked up the one in the house next door flawlessly.
  
  --
  I've calculated my velocity with such exquisite precision that I have no idea where I am.
Someone? by Anonymous Coward · 2018-06-22 04:24 · Score: 0

Someone? Some- one ? Singular?

You sure?
Inaccurate description by Gabest · 2018-06-22 05:36 · Score: 1

The cloud server cannot connect to the camera. The camera has to be permanently connected to the server because it is usually behind a home router. Unless it is a very old ip cam which only has a http based mjpeg stream.
1. Re:Inaccurate description by Anonymous Coward · 2018-06-22 10:50 · Score: 0
  
  Some cameras (those insecure by design) open home router ports using uPnP, which is left on by most home users because they don't know any better.
  In these cases yes indeed, the cloud server can and does connect to the camera upon demand. In more secure configurations you actually have to open a port for the camera, though I can't imagine professionals being willing to trust the cloud/camera vendors mentioned in TFA that use this scheme.
  I'm sure cameras exist that provide a permanent connection to a cloud server, but that's not at all the only way these devices connect. So no, the description isn't inaccurate.
i have 4 iot foscams by FudRucker · 2018-06-22 05:49 · Score: 1

but i seen this sort of thing happening so i bought a second router just for my four cams i use to monitor four different directions outside my home, none of them are connected to the internet because this second router does not have internet access it is a LAN only setup, not only does it keep the cameras off the internet those four cameras streaming live video are a bandwith hog so my internet is not being bogged down with straming video on the LAN side

--
Politics is Treachery, Religion is Brainwashing
1. Re:i have 4 iot foscams by Anonymous Coward · 2018-06-22 07:39 · Score: 0
  
  Please see https://yro.slashdot.org/comments.pl?sid=12265444&cid=56830062 above.
  I'd love to hear more about how-you-did-what-you-did.
  Someone gave me a Samsung SNH-V6431BN wifi camera and I'd like to have an off-the-net, preferably computerless, system for ONE camera, for starters...