Internet-connected security cameras are basically IoT cameras that are being used for security purposes. While conventional security cameras are usually used in closed networks and are physically connected, internet-connected cameras use a live IP address and can be connected across the world and monitored from around the globe. They rely on the internet to relay the video feed using data that is routed through the World Wide Web. These cameras need to be connected to an active and high-speed internet connection to provide the video feeds back to the monitoring servers or recorders. However, are these cameras safe to be used on the internet?
Probably not, since these are the eyes around the world, be it on the streets, in offices or probably in your home or garage too. Internet-connected cameras have a firmware, that can be easily hacked into and your video feed could be tapped into by hackers from around the world. Since the firmware is not as secure, and most cameras or IoT devices in general, out there are not properly secured by the user, it becomes easy for a hacker to enter in and tap the feed. Most common home users don’t secure their cameras with a strong password, and many of them even leave their passwords to the default factory settings since they either don’t know how to change them or are now even aware that they need to do this for their own privacy.
What comes in as a shocker is that a security researcher, on July 28, revealed at a Def Con hacking conference in Las Vegas that there are more than 120,000 internet-connected cameras which are vulnerable to easy hacks.
Alexandru Balan, Chief Security Researcher with security firm Bitdefender, found a flaw with two Chinese cameras from Shenzhen Neo Electronic, which allows hackers to remotely access the video feed, take complete control of the camera, and even lock the original user out of his camera for good. The findings open up a can of worms, revealing that there could be almost 150,000 IoT devices that could be vulnerable to such easy attacks.
The researcher who found the flaw told Motherboard that he did try to warn the Chinese company about the flaw, but they did not reply back or even fixed the issues. He is also worried that the problem may never be fixed in future. “It’s unpatched and unpatchable,” Balan told Motherboard in an interview after the conference.
Balan said that when he analysed two cameras from the Chinese brand, he found that the first camera had a default username and password, which allows any user to get into the firmware settings.
What Balan meant is that manufacturers should always place unique combinations of usernames and passwords, which should not be common to any of the cameras that the brand manufactures. This could make the device almost easily unhackable, since every camera would have a different password and not a common one.
As of now, the usernames on most IoT devices are as common as ‘user,’ ‘guest,’ ‘admin,’ and ‘administrator,’ while the passwords could be ‘password’, ‘admin,’ and even blank at times.
Balan went ahead to even warn that there could be more than 120,000 cameras out there that could be vulnerable and someone could also create a 20,000 botnet with it.
Balan demoed his hack at the conference, hoping to create awareness amongst users and brands.