Researchers at security firm Kaspersky Lab say they have found several security vulnerabilities in popular brands of smart cameras made by surveillance, aeronautics, optoelectronics, automations and weapons technology company Hanwha Techwin, part of the Samsung group, which are used as baby monitors or for internal home and office surveillance.
This includes a backdoor placed there by the manufacturer which has now been removed. The cameras in question could also be used for mining cryptocurrencies, it was found.
The vulnerabilities came about because of an insecurely designed cloud-backbone system that was initially created to enable the owners to remotely access video from their devices.
The announcement was made on Friday, the second day of the Kaspersky Security Analyst Summit being held in Cancun, Mexico.
{loadposition sam08}About 2000 vulnerable devices were found online but these were cameras that had their own IP addresses and there could well have been many others in internal subnets.
The researchers also undocumented functionality, better known as a backdoor, which could be used by the manufacturer for final production test purposes.
But criminals could also use this hidden avenue to send wrong signals to any camera or change a command already sent to it.
Besides that, the feature itself was found to be vulnerable. It could be further exploited with a buffer overflow, potentially leading to the camera’s shutdown. The vendor has now fixed the issue and removed this feature.
“The problem with current IoT device security is that both customers and vendors mistakenly think that if you place the device inside your network, and separate it from the wider Internet with the help of a router, you will solve most security problems – or at least significantly decrease the severity of existing issues," said Vladimir Dashchenko (above), head of the vulnerabilities research group at Kaspersky Lab ICS CERT.
"In many cases this is correct: before exploiting security issues in devices inside of a targeted network, one would need to gain access to the router. However, our research shows that this may not actually be the case at all: given that the cameras we investigated were only able to talk with the external world via a cloud service, which was totally vulnerable.
“The interesting thing is that besides the previously-described attack vectors such as malware infections and botnets, we found that the cameras could also be used for mining. While mining is becoming one of the main security threats facing businesses, IoT mining is an emerging trend due to the growing prevalence of IoT devices, and will continue to increase.”
The writer is attending the Kaspersky Security Analyst Summit as a guest of the company.
Photo: courtesy Kaspersky Lab