Slashdot Mirror
Someone Is Taking Over Insecure Cameras and Spying on Device Owners (bleepingcomputer.com)
As security webcams, security cameras, and pet and baby monitors become part of our lives, their underlying technology is increasingly receiving scrutiny from researchers. Many of these devices are woefully insecure, and an attacker could -- and in some cases, has -- take over these devices to perform internet scans, among other things. BleepingComputer's Catalin Cimpanu dives into the subject: In the last nine months, two security firms have published research on the matter. Both pieces of research detail how the camera vendor lets customers use a mobile app to control their device from remote locations and view its video stream. The mobile app requires the user to enter a device ID, and a password found on the device's box or the device itself. Under the hood, the mobile app connects to the vendor's backend cloud server, and this server establishes connections to each of the user's device in turn, based on the device ID and the last IP address the device has reported from.
Please use the right term. I know the other can mean it but..ugh
30 years ago I was sysadmin for a network of maybe 20 Sun workstations. We got some new machines, naturally the boss got the first one. Found out about the mic and told the boss this might be a problem. He asked "why? It can be useful". I asked him to give me a minute, then call someone into his office and small talk for a minute. I went to my cube, logged into his machine, recorded him for a minute or so, then mailed him the audio file.
Spent the next couple hours opening up these brand new workstations and clipping a wire.
Why yes, I do have tape over my laptop camera. Why do you ask?
Lets stop the few big search engines from displaying the needed search results to find any such networks.
When nobody can find the open networks, then the wide open IoT networks are not going to be accessed.
Nobody can design their own internet search engine to scan global networks.
Even if some smart person could design the method to run their own search engine they could not buy the bandwidth needed.
A person with the smarts and bandwidth would need a lot of time to collect such IoT data globally.
No search results and security is improved for all...
Stop collecting any IoT related network results.
Domestic spying is now "Benign Information Gathering"
Nobody ever wrote a network scanner which just looped over all IP addresses. Can't happen. Was never done.
... in the previous story: Should facial recognition cameras be in schools?
Check your premises.
I've installed Hikvision cameras in my warehouse. They are pretty neat cameras for the money, with h265 support and nice resolutions, saving you A LOT of data storage. But they are seriously unsecured. All of them are inside a VLAN that doesn't allow traffic to the internet or the rest of the network. Despite that, Hik-Connect works just fine through a VPN, so I don't know why you need this stuff uploading to the "Cloud".
But despite all these simple things you can do to secure these security cameras, nobody else does it. Security camera installers put these damn things open to the internet so their customer can easily access it from outside networks without realizing so can I. You'd be surprised how many places I have access to now, like other warehouses, manufacturers, and *cough* competitors, because security firms are such absolute failures in security.
You'd think if you're going to spend 50k or more on security cameras that people would bother to secure them?
I tried it once, but do you have ANY ide how hard it is to type them all in?
I typed it in till 0.255.255.255 and did a trestrun. Nothing.
Don't fight for your country, if your country does not fight for you.