How crooks can cover up crimes by hacking IoT cameras to show fake footage

Researchers detail the risk posed by insecure IoT devices, demonstrating how hackers could hide evidence of a physical break-in from operators of internet-connected cameras.
Written by Danny Palmer, Senior Writer

Security vulnerabilities in Internet of Things surveillance cameras can allow hackers to remotely gain access to networks and manipulate live-streamed footage to hide evidence of crimes, researchers have warned.

Security analysts at Forescout set up a laboratory using common IoT devices like IP cameras, IoT gateways, smart lights and motion sensors to analyse how attackers could gain access to networks and conduct illicit activity.

SEE: Sensor'd enterprise: IoT, ML, and big data (ZDNet special report) | Download the report as a PDF (TechRepublic)

Each of the devices were chosen due to being popular and commercially available, and no new vulnerabilities were exploited as part of the test, which employed a Raspberry Pi to carry out the attack.

The findings are detailed in a new report, Rise of the Machines: Transforming Cybersecurity Strategy for the Age of IoT. 

Researchers note that the prevalence of severe bugs leading to remote code execution and complete takeover of the cameras is a particular concern – because surveillance cameras are viewed as important for the security of buildings and security personnel will trust whatever footage they're being shown. IoT cameras are also some of the most compromised connected devices.

Internet-facing IP cameras are regularly found to contain security vulnerabilities that can grant attackers access to a network – with the cameras often discoverable via the Shodan IoT device search engine and remotely accessible because of weak security protocols, such as default login credentials.

"We were surprised by the amount of protocols that are there by default and enabled," Elisa Costante, director of industrial and operational technology innovation at Forescout told ZDNet.

"Most of them are actually non-encrypted by default, and in some areas encryption is not available," she added.

By taking advantage of this, the researchers were able to gain access to internet-connected cameras and take advantage of weaknesses in the streaming protocols of video-surveillance systems.

Taking the role of offensive hackers, researchers performed a man-in-the-middle attack between the camera and the computer of the security operator, allowing attackers to secretly monitor and change traffic between the two systems.

They then ran a set of scripts to force the camera to end its current session. The operator's computer attempted to restart the session, but the scripts intercepted and tampered with the footage, displaying pre-recorded images instead.

This type of attack can be exploited to display footage, which makes it look as if nothing is happening, when all the while an intruder is in the room and engaging in criminal activity.

"We leveraged some common vulnerabilities – if you're on the same network, you can basically stop the flow of the camera and replace it with previously recorded footage. If you enter a building physically where you're not supposed to, you can hide all your steps," said Costante

"Cyber and physical are really interconnected. There's not much difference in the layers anymore," she added, citing how a cyberattack against an IP camera can lead to real-world consequences – in this case, hiding evidence of physical access to a building.

In addition to exploiting IoT cameras for the purposes of sabotage, attackers could also use vulnerable devices as an entry point into networks to conduct further attacks.

While organisations are increasingly adopting IoT as part of smart buildings, insecure connected devices still pose the potential to put businesses at risk – especially if the devices are installed then never updated.

"Our intent is to shine some light on these devices, how tiny they are and how they're entering the enterprise. Sometimes they're overlooked in terms of where they are and forgotten. If you want to enter an enterprise network, you can start with these," Costante explained.

"If you know about the problem, you can do something about it. Isolate the devices and make sure they're on their own network, make sure the configurations aren't set to default and be aware of best practice on how they can be used," she added.


Editorial standards