Kaspersky Lab researchers have discovered multiple security vulnerabilities in popular smart cameras that are frequently used as baby monitors, or for internal home and office security surveillance. According to the research, the uncovered flaws could allow attackers to obtain remote access to video and audio feeds from the cameras, remotely disable these devices, execute arbitrary malicious code on them and do many other things.

 

Modern smart cameras contain an advanced number of functions, providing users with various opportunities: people can use them as advanced baby monitors or for surveillance systems which spot intruders while no one is home or in the office. But, are these cameras secure enough by design and what if such a smart camera started watching you, instead of watching your home?

 

Previous analysis conducted by many other security researchers has shown that smart cameras in general tend to contain security vulnerabilities at different levels of severity. However, in their latest research, Kaspersky Lab experts uncovered something extraordinary: not just one, but a whole range of smart cameras was found to be vulnerable to a number of severe remote attacks. This was due to an insecurely designed cloud-backbone system that was initially created to enable the owners of these cameras to remotely access video from their devices.

 

By exploiting these vulnerabilities, malicious users could execute the following attacks:

  • Access video and audio feeds from any camera connected to the vulnerable cloud service;
  • Remotely gain root access to a camera and use it as an entry-point for further attacks on other devices on both local and external networks.
  • Remotely upload and execute arbitrary malicious code on the cameras;
  • Steal personal information such as users’ social network accounts and information which is used to send users notifications.
  • Remotely “brick” vulnerable cameras. (To brick means to cause it to become completely unable to function, typically on a permanent basis.)

 

Following the discovery, Kaspersky Lab researchers contacted and reported the vulnerabilities to Hanwha Techwin, the manufacturer of the affected cameras. At the time of publication, some vulnerabilities had already been fixed, and the remaining vulnerabilities are set to be completely fixed soon, according to the manufacturer.

 

All these attacks were possible because experts found that the way the cameras interacted with the cloud service was insecure and open to relatively easy interference. They also found that the architecture of the cloud service itself was vulnerable to external interference.

 

It is important to note that such attacks were only possible if attackers knew the serial number of the camera. However, the way in which serial numbers are generated is relatively easy to find out through simple brute-force attacks: the camera registering system didn’t have brute force protection.

 

While doing their research, Kaspersky Lab experts were able to identify almost 2,000 vulnerable cameras working online, but these were only the cameras that had their own IP address, hence were directly available through the internet. The real number of vulnerable devices placed behind routers and firewalls could actually be several times higher.

 

In addition, researchers found an undocumented functionality, which could be used by the manufacturer for final production test purposes. However, at the same time criminals could use this hidden avenue to send wrong signals to any camera or change a command already sent to it. Besides that, the feature itself was found to be vulnerable. It could be further exploited with a buffer overflow, potentially leading to the camera’s shutdown. The vendor has now fixed the issue and removed this feature.

 

The problem with current IoT device security is that both customers and vendors mistakenly think that if you place the device inside your network, and separate it from the wider internet with the help of a router, you will solve most security problems – or at least significantly decrease the severity of existing issues. In many cases this is correct: before exploiting security issues in devices inside of a targeted network, one would need to gain access to the router. However, our research shows that this may not actually be the case at all: given that the cameras we investigated were only able to talk with the external world via a cloud service, which was totally vulnerable,” said Vladimir Dashchenko, Head of vulnerabilities research group at Kaspersky Lab ICS CERT.

 

“The interesting thing is that besides the previously-described attack vectors such as malware infections and botnets, we found that the cameras could also be used for mining. While mining is becoming one of the main security threats facing businesses, IoT mining is an emerging trend due to the growing prevalence of IoT devices, and will continue to increase,” he added.

 

Hanwha Techwin Statement

 

The security of our customers is the highest priority for us. We have already fixed the camera’s vulnerabilities, including the Remote Upload and Execution of arbitrary malicious code. We have released updated firmware available to all our users. Some vulnerabilities related to the cloud have been recognized and will be fixed soon.

 

In order to stay protected, Kaspersky Lab strongly advises users to do the following:

  • Always change the default password. Use a complex one instead and do not forget to update it regularly.
  • Pay close attention to security issues of connected devices before purchasing yet another smart device for homes or offices. Information on discovered and patched vulnerabilities is usually available online and is often easy to find.

 

Kaspersky Lab encourages manufacturers to enhance their cybersecurity and emphasizes the importance of ensuring the proper understanding and assessment of threat risks, as well as the development of a secure-by-design environment. Our company actively collaborates with vendors and reports all discovered vulnerabilities.

 

More information on this research is available on Securelist.com


RECOMMENDED ARTICLE FOR TECHWORLD


 
DJI Introduces Customer Loyalty Program for Ronin 3-Axis Stabilized Handheld Gimbal System
Techworld Date Posted: 18 September 2017 10:10 AM | 247 Views
DJI, the world's leader in creative camera technology, today announced a global customer loyalty program, rewarding long-time creative professionals who use its Ronin three-axis camera stabilizer and are ready to take their camera operating.... See More
 
DJI Introduces Customer Loyalty Program for Ronin 3-Axis Stabilized Handheld Gimbal System
Techworld Date Posted: 10:10 AM | 247 Views
DJI, the world's leader in creative camera technology, today announced a global customer loyalty program, rewarding long-time creative professionals who use its Ronin three-axis camera stabilizer and are ready to take their camera operating...See More

 
SAP Launches Youth Enablement Program in Southeast Asia
Techworld Date Posted: 16 September 2017 9:43 AM | 264 Views
SAP SE (NYSE: SAP) today announces the launch of its flagship program for young talents, SAP's Young Professional Program (YPP), in Southeast Asia. Developed by the SAP Training and Development Institute (SAP TDI), this.... See More
 
SAP Launches Youth Enablement Program in Southeast Asia
Techworld Date Posted: 9:43 AM | 264 Views
SAP SE (NYSE: SAP) today announces the launch of its flagship program for young talents, SAP's Young Professional Program (YPP), in Southeast Asia. Developed by the SAP Training and Development Institute (SAP TDI), this...See More

 
Transcend Is Honored with Five Taiwan Excellence Awards 2019
Techworld Date Posted: 21 November 2018 1:25 PM | 137 Views
Transcend Information, Inc. (Transcend®), a worldwide leader in storage and multimedia products, is proud to announce that five of its state-of-the art products have been awarded the 2019 Taiwan Excellence Award for their innovation.. See More
 
Transcend Is Honored with Five Taiwan Excellence Awards 2019
Techworld Date Posted: 1:25 PM | 137 Views
Transcend Information, Inc. (Transcend®), a worldwide leader in storage and multimedia products, is proud to announce that five of its state-of-the art products have been awarded the 2019 Taiwan Excellence Award for their innovation.See More

 
One Year On: Filipino Social Enterprises Better Equipped to Improve Quality of Education Following Completion of SAP Social Sabbatical Program
Techworld Date Posted: 14 July 2017 2:22 PM | 301 Views
Following the completion of SAP Social Sabbatical Program in the Philippines last year, two participating social enterprises, Teach for the Philippines and Silid Aralan (SAI), reported that their organizations are better able to fulfill.... See More
 
One Year On: Filipino Social Enterprises Better Equipped to Improve Quality of Education Following Completion of SAP Social Sabbatical Program
Techworld Date Posted: 2:22 PM | 301 Views
Following the completion of SAP Social Sabbatical Program in the Philippines last year, two participating social enterprises, Teach for the Philippines and Silid Aralan (SAI), reported that their organizations are better able to fulfill...See More

 
Dreading Wi-Fi Deadspots? Here Are 5 Quick Hacks!
Techworld Date Posted: 16 October 2018 3:31 PM | 136 Views
In a world where our favorite videos, music, and games are just right at our fingertips, files can be shared in an instant, and our loved ones are just a chat or video call.... See More
 
Dreading Wi-Fi Deadspots? Here Are 5 Quick Hacks!
Techworld Date Posted: 3:31 PM | 136 Views
In a world where our favorite videos, music, and games are just right at our fingertips, files can be shared in an instant, and our loved ones are just a chat or video call...See More

 
Kris Aquino, Bimby Give Three-Part Exclusive Tour of PLDT Home Fibr-Powered Home
Techworld Date Posted: 3 January 2018 2:26 PM | 349 Views
PLDT Home Ambassador and Queen of all Media Kris Aquino gave her viewers a treat this Christmas season through an exclusive corner-to-corner tour of her new, PLDT Home Fibr-powered home in Quezon City.. See More
 
Kris Aquino, Bimby Give Three-Part Exclusive Tour of PLDT Home Fibr-Powered Home
Techworld Date Posted: 2:26 PM | 349 Views
PLDT Home Ambassador and Queen of all Media Kris Aquino gave her viewers a treat this Christmas season through an exclusive corner-to-corner tour of her new, PLDT Home Fibr-powered home in Quezon City.See More

 
Epson Philippines Celebrates 20 Years of Leading the Show
Techworld Date Posted: 26 September 2018 3:48 PM | 156 Views
Epson Philippines Corporation (EPC) celebrated its 20th year anniversary at the Grand Ballroom of the Grand Hyatt Hotel in BGC, Taguig City. . See More
 
Epson Philippines Celebrates 20 Years of Leading the Show
Techworld Date Posted: 3:48 PM | 156 Views
Epson Philippines Corporation (EPC) celebrated its 20th year anniversary at the Grand Ballroom of the Grand Hyatt Hotel in BGC, Taguig City. See More

 
Symantec a Leader in Gartner Magic Quadrant for Secure Web Gateways for the 11th Consecutive Time
Techworld Date Posted: 28 December 2018 4:17 PM | 105 Views
Symantec Corp. (NASDAQ: SYMC), the world’s leading cyber security company, today announced that it has been named by Gartner, Inc. as a Leader in the 2018 Magic Quadrant for Secure Web Gateways. . See More
 
Symantec a Leader in Gartner Magic Quadrant for Secure Web Gateways for the 11th Consecutive Time
Techworld Date Posted: 4:17 PM | 105 Views
Symantec Corp. (NASDAQ: SYMC), the world’s leading cyber security company, today announced that it has been named by Gartner, Inc. as a Leader in the 2018 Magic Quadrant for Secure Web Gateways. See More

CXO Innovation Summit
Rhea Sanvictores
First Ever CXO Innovation Summit Alights in Queen City of the South
Techworld • By: Rhea Sanvictores | Date Posted: 13 November 2018 11:11 AM | 178 Views
Held from November 9 to 11, 2018, the CXO Innovation Summit was staged at the luxurious Shangri-La’s Mactan Resort and Spa in Lapu-Lapu City, Cebu. Prominent distributor of up-to-date gadgets and devices MSI-ECS spearheaded.... See More
Rhea Sanvictores
CXO Innovation Summit
First Ever CXO Innovation Summit Alights in Queen City of the South
Techworld • By: Rhea Sanvictores | Date Posted: 11:11 AM | 178 Views
Held from November 9 to 11, 2018, the CXO Innovation Summit was staged at the luxurious Shangri-La’s Mactan Resort and Spa in Lapu-Lapu City, Cebu. Prominent distributor of up-to-date gadgets and devices MSI-ECS spearheaded...See More

 
BenQ’s ZOWIE XL2411P Is the Chosen Monitor of PGI
Techworld Date Posted: 25 July 2018 4:12 PM | 317 Views
The XL2411P has been chosen as the tournament monitor of PGI. ZOWIE strives to provide e-Sports professionals and enthusiasts with the best equipment to suit their personal preference, allowing them to focus on nothing.... See More
 
BenQ’s ZOWIE XL2411P Is the Chosen Monitor of PGI
Techworld Date Posted: 4:12 PM | 317 Views
The XL2411P has been chosen as the tournament monitor of PGI. ZOWIE strives to provide e-Sports professionals and enthusiasts with the best equipment to suit their personal preference, allowing them to focus on nothing...See More


Power by

Download Free AZ | Free Wordpress Themes