Q&A: Why surveillance cams are trivial to hack

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

By Byron Aco­hi­do, ThirdCertainty

It didn’t take much tech savvy for the cre­ator of the web­site insecam.com to aggre­gate web links to more than 73,000 live sur­veil­lance cam­eras in 256 coun­tries. The result: Any­one can use insecam.com to tap into any of these web­cams and see what they’re point­ed at, most­ly in com­mer­cial properties.

Each of these web­cams uses the default pass­word that shipped with the unit. And so now each is acces­si­ble by any­one via insecam.com.

The Inter­net of Things (IoT) is on the verge of explo­sive growth. Research firm IDC projects the mar­ket for Inter­net-con­nect­ed web­cams, cars, elec­tric­i­ty meters, gam­ing con­soles, TVs, refrig­er­a­tors and oth­er house­hold items will grow at 9% a year for the next few years.  Glob­al spend­ing on tech­nol­o­gy and ser­vices to expand IoT will climb from $4.8 tril­lion in 2012 to $7.3 tril­lion by 2017, IDC predicts.

Insecam.com unique search ser­vice high­lights the fact that wide swaths of the IoT are being imple­ment­ed with­out so much as a nod toward the sud­den cre­ation of pro­found pri­va­cy and secu­ri­ty exposures.

More: 3 steps for fig­ur­ing out if your busi­ness is secure

Third­Cer­tain­ty asked Hagai Bar-El, CTO of Sansa Secu­ri­ty, to out­line what’s at stake for con­sumers and businesses.

3C: How did we get to a point where thou­sands of web­cams are essen­tial­ly wide open on the Internet?

Bar-El: Web­cams today are incred­i­bly inex­pen­sive and prac­ti­cal­ly com­modi­tized. Unfor­tu­nate­ly, most con­sumer-grade web­cams do not offer much in terms of added secu­ri­ty. Con­sumers who are unaware of the impor­tance of secu­ri­ty mea­sures typ­i­cal­ly rely on the default user­name and pass­word that shipped with the web­cam. Or their pass­words are so weak that they are eas­i­ly guessed, thus lead­ing to new web­sites that enable voyeurs to peer into people’s per­son­al lives in real time.

3C: Is it just secu­ri­ty cams in com­mer­cial build­ings? How exposed are the home sur­veil­lance cams that are being wide­ly mar­ket­ed to consumers?

Bar-El: Most sur­veil­lance cams that are sold to house­holds have three short­com­ings: First, they lack strong secu­ri­ty fea­tures. Some cam­eras do not encrypt traf­fic, some do not encrypt user pass­words, and many do not sup­port user authen­ti­ca­tion by any mech­a­nism oth­er than pass­words. Sec­ond, many cam­eras are designed and dis­trib­uted with­out any secu­ri­ty engi­neered into the hard­ware or soft­ware lay­er of the product.

The Inse­cam project cre­ators were able to fea­ture real-time per­son­al video-stream­ing data because the only secu­ri­ty mea­sure imple­ment­ed on the affect­ed cam­eras was a default admin­is­tra­tive log in. Last­ly, most web­cams have lim­it­ed and hard-to-use update capa­bil­i­ties, so even as flaws are dis­cov­ered, it is prac­ti­cal­ly impos­si­ble to update them on a large scale.

Screen shot of Inse­cam results page for U.S.

3C: Besides web­cams, what are one or two oth­er aspects of IoT that folks should be most con­cerned about?

Bar-El: In the indus­tri­al enter­prise space, peo­ple should be con­cerned with sit­u­a­tions where IoT touch­es phys­i­cal secu­ri­ty and/or mon­ey, such as SCADA, auto­mo­tive, finan­cial and med­ical devices. In the home automa­tion space, we are con­cerned about hack­able IoT devices that con­trol door locks and alarm systems.

3C: The mobile bank­ing and mobile wal­let indus­tries are mov­ing to take pass­words out of the equa­tion. Are any con­sen­sus solu­tions gain­ing traction?

Bar-El: The trend we are see­ing is the adop­tion of secure cryp­to­graph­ic authen­ti­ca­tion between an IoT device and the ser­vice with bio­met­ric or PIN authen­ti­ca­tion between the human user and the IoT device. This type of two-fac­tor authen­ti­ca­tion will make future IoT devices both user-friend­ly and more secure.

hagai bar el150px
Hagai Bar-El

3C: It seems like IoT is going to spread faster than good secu­ri­ty and pri­va­cy prac­tices. Agree or disagree?

 Bar-El: Agree. IoT man­u­fac­tur­ers today want to sell as many devices as they can to quick­ly estab­lish mar­ket share. Secu­ri­ty takes time and requires skills that many man­u­fac­tur­ers cur­rent­ly do not have. By pro­vid­ing secu­ri­ty solu­tions start­ing at the chip lev­el and allow­ing devel­op­ers to pro­vi­sion secu­ri­ty updates to their devices from the cloud, we believe we can make the secu­ri­ty around next-gen­er­a­tion IoT devices future-proof.

3C: How do you see the fun­da­men­tal sit­u­a­tion play­ing out in 2015?

Bar-El: In 2015, IoT man­u­fac­tur­ers will rec­og­nize the “build now, fix lat­er” mod­el is not sus­tain­able and that impor­tant secu­ri­ty fea­tures must be baked in when prod­ucts ship. Con­sid­er­ing that the IoT devices cur­rent­ly enter­ing the mar­ket are smart-home focused, the secu­ri­ty mech­a­nisms man­u­fac­tur­ers intro­duce in 2015 must be future-proof for at least a decade, and they need to include mech­a­nisms that enable that device to be updat­ed in real time in the event a crit­i­cal vul­ner­a­bil­i­ty is ever dis­cov­ered in the product.

More on emerg­ing pri­va­cy concerns

Mys­tery shrouds con­sumer pri­va­cy invasion

Cal­i­for­nia enacts stricter data loss dis­clo­sure rules

A call for a data breach warn­ing label


Posted in Cybersecurity, Data Security, Q&A