Researchers find security flaws in popular smart cameras

Researchers have discovered that cyber-attackers can remotely gain control of an IoT camera, allowing them to spy on users and more.
Written by Danny Palmer, Senior Writer

Video: UK government to IoT manufacturers: We need strong built-in security

A series of security vulnerabilities in a range of popular smart cameras leaves them vulnerable to hackers, who can exploit the devices to conduct surveillance and compromise other parts of the network the device is connected to.

A number of flaws in some cameras manufactured by South Korean firm Hanwha Techwin could allow attackers to access live video and audio feeds, and remotely get root access to the camera -- potentially gaining access to the rest of the network.

The security holes have been uncovered by researchers at security company Kaspersky Lab, who have identified almost 2,000 vulnerable cameras that are accessible via public IP addresses on the open internet.

Researchers say that the figure could be several times higher, because it doesn't account for additional devices which might be placed behind routers and firewalls.

While the attacks are only possible if those attempting to compromise devices know the serial number of the targeted camera, researchers say the way serial numbers are generated are easy to find out via brute-force attacks, which the camera-registering system doesn't have protect against.

Many of the security holes in the Hanwha SNH-V6410PN/PNW SmartCam stem from its cloud-based infrastructure. Rather than directly connecting to a device, the camera is controlled via an in-built wireless hotspot which connects it to the router via wi-fi. Users issue commands to the camera via smartphone, tablet, or computer.

See also: What is the IoT? Everything you need to know about the Internet of Things right now

While this feature is designed to provide the camera user with the flexibility to remotely operate it while they're not in the home or office, it also provides an entry point for attackers.

"The smart camera's cloud server architecture featured additional vulnerabilities appealing to attackers. Because of a fault in the architecture, an intruder could gain access via the cloud to all cameras and control them," Vladimir Dashchenko, head of vulnerabilities research group at Kaspersky Lab ICS CERT, told ZDNet.

This fault in the architecture can allow attackers to gain access to the camera via the cloud and control it. Researchers say one of the main problems in this case is that the cloud architecture is based on the XMPP communications protocol.

With the whole Hanwha camera cloud based on a Jabber server, an attacker is therefore able to register an arbitrary account on the server and gain access to all the 'rooms' on it -- including the camera itself, and gain access to its feed.

It's also possible for the cameras to be compromised by attackers spoofing the DNS server addressees specified in the cameras settings -- something which is possible because the update server is specified as a URL address in the camera's configuration file and the vulnerabilities in the Hanwha infrastructure.

The end result of this type of attack could be the distribution of modified firmware which can exploit an undocumented, hidden capability for switching the web interface and provide the outside attacker with privileged rights and the full Linux functionality of the device.

See also: Defending against cyberwar: How the cybersecurity elite are working to prevent a digital apocalypse

In this scenario, the attackers can use the compromised camera as a stepping stone to the rest of the network.

Kaspersky Lab also found that a compromised camera can potentially be used to steal credentials from camera users, as the notifications from the device can be sent to the user via social media and email.

"IoT solutions should be secured by design," said Dashchenko.

Upon uncovering the vulnerabilities in smart cameras, Kaspersky disclosed them to Hanwha. While some vulnerabilities have already been fixed, a number remain unpatched for now, but will be "completely fixed soon" according to Hanwha.

"The security of our customers is the highest priority for us. We have already fixed the camera's vulnerabilities, including the Remote Upload and Execution of arbitrary malicious code," Hanwha said in a statement.

Download now: Enterprise IoT calculator: TCO and ROI

"We have released updated firmware available to all our users. Some vulnerabilities related to the cloud have been recognized and will be fixed soon."

A number of initiatives have been launched around the world in an effort to make IoT devices more secure, including by the UK government, the European Union, and the US government.

Recent and related coverage

IoT devices are an enterprise security time bomb

The majority of enterprise players cannot identify IoT devices on their networks -- but that's only the beginning.

An Internet of Things 'crime harvest' is coming unless security problems are fixed

A senior police officer says IoT manufacturers must be held to account when their products open doors to new ways of committing crimes.

New IoT security rules: Stop using default passwords and allow software updates

New rules set out best practice for IoT devices, but are the makers going to listen?


Editorial standards