Security company Kaspersky has found that the tsunami of new smart devices – coffee machines, fridges, cars, speakers, vacuums, speakers and even security cameras themselves inevitably have security failings.
Vladimir Dashchenko, from Kaspersky Lab’s ICSS CERT, ponders, “We are now seeing the emergence of smart streets, roads and even cities. What then?”
Among many items tested Kaspersky found a popular security camera, the Hanwha SNH-V6410PN/PNW SmartCam had more than a few holes.
Use of insecure HTTP protocol during firmware update
Use of insecure HTTP protocol during camera interaction via HTTP API
An undocumented (hidden) capability for switching the web interface using the file ‘dnpqtjqltm’
Buffer overflow in file ‘dnpqtjqltm’ for switching the web interface
A feature for the remote execution of commands with root privileges
A capability to remotely change the administrator password
Denial of service for SmartCam
No protection from brute force attacks for the camera’s admin account password
A weak password policy when registering the camera on the server xmpp.samsungsmartcam.com. Attacks against users of SmartCam applications are possible
Communication with other cameras is possible via the cloud server
Blocking of new camera registration on the cloud server
Authentication bypass on SmartCam. Change of administrator password and remote execution of commands.
Restoration of camera password for the SmartCam cloud account
After additional research, Kaspersky established that these problems existed in all Hanwha Techwin cameras including those branded as Samsung SmartCams. The manufacturer has worked with Kaspersky to close the security holes.
An attacker can remotely change the administrator’s password, execute arbitrary code on the camera, gain access to an entire cloud of cameras and take control of it, or build a botnet of vulnerable cameras.
What are the implications for a regular user? A remote attacker can gain access to any camera and watch what’s happening, send voice messages to the camera’s onboard speaker, use the camera’s resources for cryptocurrency mining, etc. A remote attacker can also put a camera out of service, so it can no longer be restored.
“Each person will have a differing view on what personal information they are willing to disclose, either to a single vendor or to a company that has an aggregated view (Alexa, Sira, Google, or Cortana).
The potential for home, lifestyle, health and even browsing data collected by internet service providers to be available to a single entity should only be permitted after due consideration for the consequences.
As companies discover new ways to monetise data collected by IoT devices, then either the industry needs to self-regulate, or governments will need to strengthen privacy legislation in a similar way to that in which the EU has implemented GDPR.
GadgetGuy’s take on IoT security
There are thousands more brands/models of vulnerable IoT devices.
In the past week, my Fing Box has identified and blocked seventeen attempts to access my home network remotely. These are mainly from robot crawlers looking for common passwords like admin/admin or 12345 etc. Ironically to simplify setup, many routers and security cameras ship with Admin/Admin or no password at all. Most are left that way.
Trend Micro’s Home Network Security ‘box’ blocked a similar number of remote connection attempts at another location. When a device is probed, Norton Endpoint protection also frequently pops up.
Sorry – if it is happening to me it is happening to you!
Look I know I sound like a broken record on security matters. Please put a network protection device on your router to protect vulnerable IoT devices from infection.
Dashchenko said, “The problem with current IoT device security is that both customers and vendors mistakenly think that if you place the device inside your network, and separate it from the wider internet with the help of a router, you will solve most security problems — or at least significantly decrease the severity of existing issues …”