Slashdot Mirror

← Back to Stories (view on slashdot.org)

Someone Is Taking Over Insecure Cameras and Spying on Device Owners (bleepingcomputer.com)

Posted by msmash on from the closer-look dept.

As security webcams, security cameras, and pet and baby monitors become part of our lives, their underlying technology is increasingly receiving scrutiny from researchers. Many of these devices are woefully insecure, and an attacker could -- and in some cases, has -- take over these devices to perform internet scans, among other things. BleepingComputer's Catalin Cimpanu dives into the subject: In the last nine months, two security firms have published research on the matter. Both pieces of research detail how the camera vendor lets customers use a mobile app to control their device from remote locations and view its video stream. The mobile app requires the user to enter a device ID, and a password found on the device's box or the device itself. Under the hood, the mobile app connects to the vendor's backend cloud server, and this server establishes connections to each of the user's device in turn, based on the device ID and the last IP address the device has reported from.


27 of 57 comments (clear)

  1. 'Someone'? by Anonymous Coward · · Score: 1

    This indicates that it's a rare or relatively small occurrence, when in reality this is happening by thousands of people at any one moment. Stop buying terrible insecure public-facing IP cameras!

    1. Re:'Someone'? by AHuxley · · Score: 2

      Lets stop the few big search engines from displaying the needed search results to find any such networks.
      When nobody can find the open networks, then the wide open IoT networks are not going to be accessed.

      Nobody can design their own internet search engine to scan global networks.
      Even if some smart person could design the method to run their own search engine they could not buy the bandwidth needed.
      A person with the smarts and bandwidth would need a lot of time to collect such IoT data globally.
      No search results and security is improved for all...
      Stop collecting any IoT related network results.

      --
      Domestic spying is now "Benign Information Gathering"
    2. Re:'Someone'? by Sique · · Score: 2

      Nobody ever wrote a network scanner which just looped over all IP addresses. Can't happen. Was never done.

      --
      .sig: Sique *sigh*
    3. Re:'Someone'? by 110010001000 · · Score: 1

      Exactly. It isn't as if you can scan entire networks looking for open ports using a simple shell script. You would have to be a genius to do that, and we all know all those guys work at Google. Solution: shutdown Google. Problem solved.

    4. Re: 'Someone'? by nnull · · Score: 2

      I've installed Hikvision cameras in my warehouse. They are pretty neat cameras for the money, with h265 support and nice resolutions, saving you A LOT of data storage. But they are seriously unsecured. All of them are inside a VLAN that doesn't allow traffic to the internet or the rest of the network. Despite that, Hik-Connect works just fine through a VPN, so I don't know why you need this stuff uploading to the "Cloud".

      But despite all these simple things you can do to secure these security cameras, nobody else does it. Security camera installers put these damn things open to the internet so their customer can easily access it from outside networks without realizing so can I. You'd be surprised how many places I have access to now, like other warehouses, manufacturers, and *cough* competitors, because security firms are such absolute failures in security.

      You'd think if you're going to spend 50k or more on security cameras that people would bother to secure them?

    5. Re:'Someone'? by 110010001000 · · Score: 1

      It might be possible today now that we have Deep Learning Neural Network AI powered by the Cloud. But it was totally impossible to do before that.

    6. Re:'Someone'? by houghi · · Score: 2

      I tried it once, but do you have ANY ide how hard it is to type them all in?

      #!/bin/bash
      for I in 0.0.0.0 0.0.0.1 0.0.0.2 0.0.0.3 0.0.0.4

      I typed it in till 0.255.255.255 and did a trestrun. Nothing.

      --
      Don't fight for your country, if your country does not fight for you.
    7. Re:'Someone'? by mikael · · Score: 1

      You mean shodan.io

      https://www.shodan.io/

      --
      Vintage computer adverts: http://www.vintageadbrowser.com/computers-and-software-ads
    8. Re: 'Someone'? by Chelloveck · · Score: 1

      You'd think if you're going to spend 50k or more on security cameras that people would bother to secure them?

      Why? From the installer's point of view actually securing the cameras is a lot more work and raises the cost. Cost is the driving factor in the consumer's mind, and most consumers have no way to evaluate the security. So an installation that's actually secure costs much more than an installation that merely claims to be secure. A secure system also generates a lot more service calls. "Help! I lost my password! What do you mean, you can't tell me what it was? What the hell am I paying you for?!" Convenience trumps security almost every time.

      --
      Chelloveck
      I give up on debugging. From now on, SIGSEGV is a feature.
    9. Re:'Someone'? by Hognoxious · · Score: 1

      Quite. It's closer to everyone.

      --
      Confucius say, "Find worm in apple - bad. Find half a worm - worse."
    10. Re: 'Someone'? by d0rp · · Score: 1

      so I don't know why you need this stuff uploading to the "Cloud".

      The only real reason I've been able to come up with for why you want to upload your home security video to "the cloud" would be to have an off-site backup so you have a way to look at the video and see who burned your house down. A reasonable solution to that would be to have it periodically encrypt the footage and upload it to some general "cloud" storage solution where only you have the key to unlock it. Why anyone would want to have a camera in their home watching them all the time being uploaded and controlled by a third-party company baffles me.

  2. Unsecured by Anonymous Coward · · Score: 2, Informative

    Please use the right term. I know the other can mean it but..ugh

    1. Re:Unsecured by forkfail · · Score: 1

      Seriously, this should not have been downvoted.

      That a request for precision in technical language is considered troll worthy on /. is about as sure a sign that we're gonna get that this place has well and fully jumped the shark.

      --
      Check your premises.
    2. Re:Unsecured by ClickOnThis · · Score: 1

      This. Don't anthropomorphize cameras. They hate that.

      --
      If it weren't for deadlines, nothing would be late.
  3. And with the previous story by Chris+Mattern · · Score: 1

    We now can have hackers tapping all those cameras in schools!

  4. What's old is new again by Snotnose · · Score: 3, Interesting

    30 years ago I was sysadmin for a network of maybe 20 Sun workstations. We got some new machines, naturally the boss got the first one. Found out about the mic and told the boss this might be a problem. He asked "why? It can be useful". I asked him to give me a minute, then call someone into his office and small talk for a minute. I went to my cube, logged into his machine, recorded him for a minute or so, then mailed him the audio file.

    Spent the next couple hours opening up these brand new workstations and clipping a wire.

    Why yes, I do have tape over my laptop camera. Why do you ask?

    1. Re:What's old is new again by mikael · · Score: 1

      You could do that with SGI workstations as well. Login remotely, take a framegrab of the camera and record the microphone.

      --
      Vintage computer adverts: http://www.vintageadbrowser.com/computers-and-software-ads
  5. This story answers the question asked... by forkfail · · Score: 5, Insightful

    ... in the previous story: Should facial recognition cameras be in schools?

    --
    Check your premises.
  6. Re: Foscam by nnull · · Score: 1

    No h265. All those Chinese cameras actually offer better capabilities than Foscam.

  7. This is nothing new... by ewhenn · · Score: 1

    Proper security is to drop traffic by default, white list what you need. You never truly know what your devices will try to do. As an example fitting to this article, I installed security cameras outside my home and linked them to a linux based PVR for the interface/recording. I noticed that my firewall was dropping tons of data from the IPs assigned to the cameras. A quick dump of the traffic uncovered all cameras trying to connect out to a pair of IPs hosted on amazonaws. I never asked or gave consent for this to happen. The same thing would go with any other network device really, I don't want it to have access to the Internet unless I explicitly give it access.

    master@EdgeRouter:~$ sudo tcpdump -i eth0 host 192.168.1.248
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
    22:13:46.947684 IP 192.168.1.248.58611 > 192.168.1.1.domain: 895+ A? www.nwsvr1.com. (32)
    22:13:46.948215 IP 192.168.1.1.domain > 192.168.1.248.58611: 895 1/0/0 A 54.247.103.91 (48)
    22:13:48.191871 IP 192.168.1.248.14620 > ec2-54-245-98-57.us-west-2.compute.amazonaws.com.32100: UDP, length 4
    22:13:48.192026 IP 192.168.1.248.14620 > 123.56.159.92.32100: UDP, length 4
    22:13:48.192104 IP 192.168.1.248.14620 > ec2-54-217-201-148.eu-west-1.compute.amazonaws.com.32100: UDP, length 4

    Do you want your devices to serve you, or do you want your devices to serve the device maker or some other random person due to insecurity? It might seem extreme to some but as far as I'm concerned the only sane thing to do is treat *every* device as hostile until you know otherwise, drop all packets with a hardware firewall by default, and only approve the traffic you want to go out.

    1. Re: This is nothing new... by nnull · · Score: 1

      I buy them for their capabilities. I block them all automatically expecting them to be unsecured or calling home. That's the nature of things right now. Device makers are trying to make an easy plug and play device for customers while at the same time creating a device that's just completely unsecured. Because making a device difficult to use to normal people doesn't sell.

  8. No way? by DalM · · Score: 1

    You mean putting an always on, always connected streaming camera in your home is a privacy and security issue?

    I just can't believe that.

  9. "Someone"? by MonteCarloMethod · · Score: 1

    This title feels to me like the time I heard that "The Nigerian Prince scam has been shut down". The? The? The? Does anyone actually believe that any of these things are due to one bad actor?

  10. Harmless curiosity by hyades1 · · Score: 1

    So does Scarlett Johansson have a baby monitor?

    Asking for a friend.

    --
    I've calculated my velocity with such exquisite precision that I have no idea where I am.
    1. Re:Harmless curiosity by hyades1 · · Score: 1

      A buddy of mine used to set their baby monitor up in the rec room. It picked up the one in the house next door flawlessly.

      --
      I've calculated my velocity with such exquisite precision that I have no idea where I am.
  11. Inaccurate description by Gabest · · Score: 1

    The cloud server cannot connect to the camera. The camera has to be permanently connected to the server because it is usually behind a home router. Unless it is a very old ip cam which only has a http based mjpeg stream.

  12. i have 4 iot foscams by FudRucker · · Score: 1

    but i seen this sort of thing happening so i bought a second router just for my four cams i use to monitor four different directions outside my home, none of them are connected to the internet because this second router does not have internet access it is a LAN only setup, not only does it keep the cameras off the internet those four cameras streaming live video are a bandwith hog so my internet is not being bogged down with straming video on the LAN side

    --
    Politics is Treachery, Religion is Brainwashing