Q&A: Why surveillance cams are trivial to hack
By Byron Acohido, ThirdCertainty
It didn’t take much tech savvy for the creator of the website insecam.com to aggregate web links to more than 73,000 live surveillance cameras in 256 countries. The result: Anyone can use insecam.com to tap into any of these webcams and see what they’re pointed at, mostly in commercial properties.
Each of these webcams uses the default password that shipped with the unit. And so now each is accessible by anyone via insecam.com.
The Internet of Things (IoT) is on the verge of explosive growth. Research firm IDC projects the market for Internet-connected webcams, cars, electricity meters, gaming consoles, TVs, refrigerators and other household items will grow at 9% a year for the next few years. Global spending on technology and services to expand IoT will climb from $4.8 trillion in 2012 to $7.3 trillion by 2017, IDC predicts.
Insecam.com unique search service highlights the fact that wide swaths of the IoT are being implemented without so much as a nod toward the sudden creation of profound privacy and security exposures.
ThirdCertainty asked Hagai Bar-El, CTO of Sansa Security, to outline what’s at stake for consumers and businesses.
3C: How did we get to a point where thousands of webcams are essentially wide open on the Internet?
Bar-El: Webcams today are incredibly inexpensive and practically commoditized. Unfortunately, most consumer-grade webcams do not offer much in terms of added security. Consumers who are unaware of the importance of security measures typically rely on the default username and password that shipped with the webcam. Or their passwords are so weak that they are easily guessed, thus leading to new websites that enable voyeurs to peer into people’s personal lives in real time.
3C: Is it just security cams in commercial buildings? How exposed are the home surveillance cams that are being widely marketed to consumers?
Bar-El: Most surveillance cams that are sold to households have three shortcomings: First, they lack strong security features. Some cameras do not encrypt traffic, some do not encrypt user passwords, and many do not support user authentication by any mechanism other than passwords. Second, many cameras are designed and distributed without any security engineered into the hardware or software layer of the product.
The Insecam project creators were able to feature real-time personal video-streaming data because the only security measure implemented on the affected cameras was a default administrative log in. Lastly, most webcams have limited and hard-to-use update capabilities, so even as flaws are discovered, it is practically impossible to update them on a large scale.
3C: Besides webcams, what are one or two other aspects of IoT that folks should be most concerned about?
Bar-El: In the industrial enterprise space, people should be concerned with situations where IoT touches physical security and/or money, such as SCADA, automotive, financial and medical devices. In the home automation space, we are concerned about hackable IoT devices that control door locks and alarm systems.
3C: The mobile banking and mobile wallet industries are moving to take passwords out of the equation. Are any consensus solutions gaining traction?
Bar-El: The trend we are seeing is the adoption of secure cryptographic authentication between an IoT device and the service with biometric or PIN authentication between the human user and the IoT device. This type of two-factor authentication will make future IoT devices both user-friendly and more secure.
3C: It seems like IoT is going to spread faster than good security and privacy practices. Agree or disagree?
Bar-El: Agree. IoT manufacturers today want to sell as many devices as they can to quickly establish market share. Security takes time and requires skills that many manufacturers currently do not have. By providing security solutions starting at the chip level and allowing developers to provision security updates to their devices from the cloud, we believe we can make the security around next-generation IoT devices future-proof.
3C: How do you see the fundamental situation playing out in 2015?
Bar-El: In 2015, IoT manufacturers will recognize the “build now, fix later” model is not sustainable and that important security features must be baked in when products ship. Considering that the IoT devices currently entering the market are smart-home focused, the security mechanisms manufacturers introduce in 2015 must be future-proof for at least a decade, and they need to include mechanisms that enable that device to be updated in real time in the event a critical vulnerability is ever discovered in the product.
More on emerging privacy concerns