Following the news that a Russian-based website is broadcasting live feeds to breached webcams, CCTV systems, and baby monitors, Guillermo Lafuente, Security Consultant, MWR InfoSecurity writes:
“The main problem with CCTV cameras and webcams is that they often allow remote access by default, and are preconfigured with credentials which are easy to find online or to guess. In some cases, the cameras do not require a password at all. Unless a firewall or any other protection mechanism is protecting the camera from remote access, it will be very easy for an attacker to access the camera and watch it live remotely.
“In order to find exposed cameras, an attacker can simply use an online search engine such as Google. For example, using the following query in Google: intext:"Hikvision" inurl:"login.asp"
“This will return a number of Hikvision cameras which are exposed to the Internet. There’s also a service called Shodan (http://www.shodanhq.com) which contains a large index of Internet-exposed devices, including IP cameras. If any of the exposed cameras discovered on Shodan or Google were configured with default credentials then it would be straight forward for an attacker to compromise the camera and watch it.
“For years, many vendors have ignored warnings from security researchers relating to the security implications of enabling remote access by default and using default credentials for the devices. End-users are often blamed, with vendors saying that they shouldn’t be exposing the cameras to the Internet, or saying that it is their fault for not changing the default password. A better approach for vendors would be to take security seriously and stop using default passwords for all devices. A possible solution would be for vendors to generate a random, complex password for each device and include the password in the instructions of how to access the camera remotely or print them into the device itself.
“Another common problem is that vulnerabilities are often found in the cameras, with public exploits readily available. If the vulnerability is critical and can allow an anonymous remote attacker to access the video stream then the vulnerable cameras can be easily exposed. Again, vulnerable devices can also be found via Google or Shodan. Since most end-users would not worry about applying patches, the cameras will remain vulnerable even if vendors release a security patch for the vulnerability. It is very easy to find cameras that are still vulnerable to exploits which are several years old.
“My advice to users of IP cameras concerned about the issue would be the following:
• Disable remote access to the camera unless you need it
• Make sure you change the default password to one which is strong and not easy to guess. Even better, use a passphrase instead, this will be more memorable for you and more difficult to compromise for hackers. For example: 84LoveEatingPizzaWatchingFootball!
• Make sure you apply any patches released by the vendor”