Security company Kaspersky has found that the tsunami of new smart devices – coffee machines, fridges, cars, speakers, vacuums, speakers and even security cameras themselves inevitably have security failings.
Vladimir Dashchenko, from Kaspersky Lab’s ICSS CERT, ponders, “We are now seeing the emergence of smart streets, roads and even cities. What then?”
Among many items tested Kaspersky found a popular security camera, the Hanwha SNH-V6410PN/PNW SmartCam had more than a few holes.
- Use of insecure HTTP protocol during firmware update
- Use of insecure HTTP protocol during camera interaction via HTTP API
- An undocumented (hidden) capability for switching the web interface using the file ‘dnpqtjqltm’
- Buffer overflow in file ‘dnpqtjqltm’ for switching the web interface
- A feature for the remote execution of commands with root privileges
- A capability to remotely change the administrator password
- Denial of service for SmartCam
- No protection from brute force attacks for the camera’s admin account password
- A weak password policy when registering the camera on the server xmpp.samsungsmartcam.com. Attacks against users of SmartCam applications are possible
- Communication with other cameras is possible via the cloud server
- Blocking of new camera registration on the cloud server
- Authentication bypass on SmartCam. Change of administrator password and remote execution of commands.
- Restoration of camera password for the SmartCam cloud account
After additional research, Kaspersky established that these problems existed in all Hanwha Techwin cameras including those branded as Samsung SmartCams. The manufacturer has worked with Kaspersky to close the security holes.
An attacker can remotely change the administrator’s password, execute arbitrary code on the camera, gain access to an entire cloud of cameras and take control of it, or build a botnet of vulnerable cameras.
What are the implications for a regular user? A remote attacker can gain access to any camera and watch what’s happening, send voice messages to the camera’s onboard speaker, use the camera’s resources for cryptocurrency mining, etc. A remote attacker can also put a camera out of service, so it can no longer be restored.
Voice assistance opens another can of worms.
To make your day read ESET’s “IoT AND PRIVACY BY DESIGN IN THE SMART HOME” that found privacy issues with Alexa, more specifically with some Alexa skills. It concludes:
“Each person will have a differing view on what personal information they are willing to disclose, either to a single vendor or to a company that has an aggregated view (Alexa, Sira, Google, or Cortana).
The potential for home, lifestyle, health and even browsing data collected by internet service providers to be available to a single entity should only be permitted after due consideration for the consequences.
As companies discover new ways to monetise data collected by IoT devices, then either the industry needs to self-regulate, or governments will need to strengthen privacy legislation in a similar way to that in which the EU has implemented GDPR.
GadgetGuy’s take on IoT security
There are thousands more brands/models of vulnerable IoT devices.
In the past week, my Fing Box has identified and blocked seventeen attempts to access my home network remotely. These are mainly from robot crawlers looking for common passwords like admin/admin or 12345 etc. Ironically to simplify setup, many routers and security cameras ship with Admin/Admin or no password at all. Most are left that way.
Trend Micro’s Home Network Security ‘box’ blocked a similar number of remote connection attempts at another location. When a device is probed, Norton Endpoint protection also frequently pops up.