International. Kaspersky Lab researchers have discovered a number of security vulnerabilities in popular smart cameras that could allow attackers to gain remote access to video and audio streams from cameras.
In addition, they could remotely disable these devices, execute malicious arbitrary code on them, and commit other acts of misconduct.
Today's smart cameras feature a number of features, and are often used as baby monitors, or for internal surveillance of home and office security. Kaspersky Lab poses the question: "But are these cameras secure enough by design and what if such a smart camera started looking at you, rather than looking at your house?"
Analysis conducted in the past by a variety of security researchers has revealed that smart cameras in general tend to contain security vulnerabilities that vary in severity.
This recent research, however, has uncovered something surprising. Not just one, but a full range of smart cameras were found to be vulnerable to a number of serious remote attacks, due to an indecipherable cloud system initially designed that allowed owners of these cameras to remotely access video from their devices.
Kaspersky says there are several attacks that threat actors could commit by exploiting these vulnerabilities, including accessing video and audio from any camera connected to the vulnerable cloud service, and remotely gaining root access to a camera to use as an entry point for future attacks on other devices on local and external networks.
In addition, threat actors could remotely upload and execute arbitrary malicious code on cameras, steal personal information such as users' social media accounts and information that is used to send notifications to users, as well as vulnerable cameras remotely.
How it works
According to Kaspersky, these attacks were possible because the way the cameras interacted with the cloud service was insecure and open to relatively easy interference. In addition, the cloud service architecture was vulnerable to external interference.
"It is important to note that such attacks were only possible if the attackers knew the camera's serial number," the researchers added. "However, the way serial numbers are generated is relatively easy to discover through simple brute-force attacks – the camera's registration system had no brute force protection."
During the course of their research, they identified nearly 2,000 vulnerable cameras working online, but these were only devices that had their own IP address, and were directly available over the Internet. "The actual number of vulnerable devices placed behind routers and firewalls could actually be several times greater," the company explains.
False assumptions
Vladimir Dashchenko, head of Kaspersky Lab's vulnerability research group ICS CERT, says that both customers and vendors assume that placing an Internet of Things (IOT) device within the network and separating it with the help of a router will take care of most security issues.
Although router access is usually necessary to exploit security issues on devices within a target network, this is not always the case, he explains. "Our research shows that this may not actually be the case, given that the cameras we investigated could only talk to the outside world through a cloud service, which was totally vulnerable."
"What's interesting is that in addition to the attack vectors described above as malware infections and botnets, we found that the cameras can also be used for mining. While mining is becoming one of the top security threats facing businesses, IoT mining is an emerging trend due to the increasing prevalence of IoT devices, and it will continue to increase," he adds.
