IP Camera Security Risks

Two researchers say, demo in support, be able to make quick and easy way to control an IP camera, without the knowledge of its owner. Tens of thousands of devices connected to the Internet are vulnerable.

Eturn a spy is also possible in the digital life. Sergey Sheky an and Artem Harutyunyan, security researchers at Qualys specialized publisher, demonstrated Thursday at the occasion of the conference Hack in the Box (Amsterdam) how it could be easy to take control, remote and unbeknownst to its rightful owner, an IP camera connected to the Internet. Their work (PDF, 2MB) focused on a model of common camera (FI8910W), developed by the American Foscam (which sells under its name, but also white label).

This first issue added a second : although few users realize it, a machine connected to the Internet, if access to the network is not properly set, which can be referenced by specialized services (eg Shodan). These are, for researchers as to the attackers, an address book on which their talents.

Sergey Shekyan and Artem Harutyunyan have initially found that among IP cameras listed on this type of service, about a model five sees access to its administration protected by the default password used by the manufacturer, and therefore proves vulnerable by default.

for others, they recall the existence of vulnerabilities recognized , one of which allows for example to get a complete picture of the operating system of the camera, the center of which are the identifiers of administrator accounts. Although the flaw in question was corrected by the manufacturer, 99% of cameras tested by them do not fit the necessary update.

Beyond the obvious risks to privacy of the user, both researchers believe that these vulnerabilities can also serve other more insidious purposes, since both open access to the administration of the camera as its operating system, easily editable. Among other scenarios, they mention the use of the camera as a proxy to hide his activity or injection through him, malicious code on the owner’s computer (for example by including a JavaScript code within the pan ‘administration interface).

both logically conclude that the need to properly configure the local network and connected devices, for individuals as for network administrators in business, and advise for example to apply this type of device, the filtering rules by IP address, in order to limit undue access. Recently, Trendnet cameras had the honors of the news, because of their propensity to publicly display in private flows.

Leave a Reply