Security vulnerabilities in some popular smart cameras, used as baby monitors and for security surveillance, could lead to them being exploited by hackers.
Research from Kaspersky Lab has found multiple issues with cameras, manufactured by Korean company Hanwha Techwin, that could allow attackers to obtain remote access to video and audio feeds from the cameras, remotely disable the devices and execute arbitrary malicious code on them.
The flaws would also allow attackers to steal personal information such as users’ social network accounts and information which is used to send users notifications. Hackers could also remotely ‘brick’ vulnerable cameras.
It’s important to note that these attacks are only possible if attackers know the serial number of the camera. However, the way in which serial numbers are generated makes it relatively easy to find this through simple brute-force attacks.
Kaspersky Lab experts have been able to identify almost 2,000 vulnerable cameras working online, but these are only the cameras that have their own IP address, directly available through the internet. The number of vulnerable devices placed behind routers and firewalls could be several times higher.
“The problem with current IoT device security is that both customers and vendors mistakenly think that if you place the device inside your network, and separate it from the wider internet with the help of a router, you will solve most security problems — or at least significantly decrease the severity of existing issues,” says Vladimir Dashchenko, head of vulnerabilities research group at Kaspersky Lab ICS CERT. “In many cases this is correct: before exploiting security issues in devices inside of a targeted network, one would need to gain access to the router. However, our research shows that this may not actually be the case at all: given that the cameras we investigated were only able to talk with the external world via a cloud service, which was totally vulnerable.”
In response to the disclosure Hanwha Techwin has issued a statement saying, “The security of our customers is the highest priority for us. We have already fixed the camera’s vulnerabilities, including the Remote Upload and Execution of arbitrary malicious code. We have released updated firmware available to all our users. Some vulnerabilities related to the cloud have been recognized and will be fixed soon.”
In the meantime Kaspersky recommends changing the default password on smart devices and making sure that they are updated regularly. You can read more details about the vulnerability on the Kaspersky SecureList blog.