Security Flaw Can Turn Smart Cameras Into Spying Tools

Discussion in '[H]ard|OCP Front Page News' started by rgMekanic, Mar 13, 2018.

  1. rgMekanic

    rgMekanic [H]ard|News Staff Member

    Messages:
    4,944
    Joined:
    May 13, 2013
    In a report from SecureList, Kaspersky Lab ICS CERT researchers decided to check how secure a popular smart cameras are. The testers looked at cameras from Hanwha Techwin, and found what they call "severe" security flaws. The team found nearly 2,000 cameras on the internet with a public IP address. The flaws can allow attackers to gain remote access to the video and audio feeds, remotely disable them, infect them with malicious code, or use them as an entry point to the network to make further attacks. Kaspersky researchers contacted the manufacturer, and several models have been patched already, with more on the way.

    And the record skips again with the sound of me saying that the whole "Internet of Things" is a generally bad idea. You may not be concerned, thinking "Who is Hanwha anyway?" You may know the cameras better under the name of "Samsung."

    For one, the attacker can remotely change the administrator’s password, execute arbitrary code on the camera, gain access to an entire cloud of cameras and take control of it, or build a botnet of vulnerable cameras. An attacker can gain access to an arbitrary SmartCam as well as to any Hanwha smart cameras.
     
  2. theplaidfad

    theplaidfad Lurker

    Messages:
    978
    Joined:
    Apr 24, 2008
    Wait a second... are you trying to tell me that devices that connect to the internet have security flaws that can be taken advantage of for malicious purposes? Let me guess, now you're going to try and tell me cigarettes can cause cancer. Get outta here.
     
    rgMekanic and BSmith like this.
  3. BSmith

    BSmith Gawd

    Messages:
    904
    Joined:
    Nov 9, 2017
    It has caused me to add this question to my list of questions to ask before buying something.

    Does it have to be connected to the Internet to function? If the answer is "yes", then I do not buy it.

    Consider:
    Buying a television.
    Buying a refrigerator.
    Buying a toaster.
    Buying a car.
    Buying a toothbrush.
    Buying a sex robot.

    See, it works.

    OT: Is anyone surprised by this?
     
  4. TwistedAegis

    TwistedAegis [H]ardForum Junkie

    Messages:
    8,970
    Joined:
    Oct 7, 2009
    Problem is most of this crap is now becoming standard, TVs in particular. I've only just started thinking about getting a new TV, but looking at all the cool new models I might want to try, so far they're all preloaded with all kinds of crap. Perhaps I won't need to connect it to the internet for it to function despite that but; it sucks paying for all that extra stuff when I already have my $80 Roku.
     
    BSmith likes this.
  5. Daarken

    Daarken [H]Lite

    Messages:
    85
    Joined:
    Jan 3, 2006
    Standard Operating Procedure when it comes to internet connected devices..
    Always remove default accounts before connecting that equipment to the internet. This includes even IP Cameras and recorders.
     
  6. Biznatch

    Biznatch [H]ard|Gawd

    Messages:
    1,881
    Joined:
    Nov 16, 2009

    The issue isn't just having a 'smart' device connected to the internet. These cams are most likely setup 'insecurely' using manufacturers guidelines which tell users to setup port forwarding on their routers. Then your only protection is whatever security is built into the device itself, which is typically shitty at best.

    The fix is to stop setting up port forwarding for anything IOT..... If you need access to shit on your home network, then setup a VPN and connect that way. Otherwise this kind of stuff is going to happen.

    I go 1 step farther and explicitly block all outbound traffic on the devices themselves. Only devices that actually require internet can get out.
     
  7. PigLover

    PigLover [H]ard|Gawd

    Messages:
    1,152
    Joined:
    Jul 11, 2009
    This. +1. +9999999.

    Go even further - even IOT devices that "need" internet access are restricted to EXACTLY the endpoints and ports on that endpoint they need and attempts to go elsewhere are logged. Also, run a good IDS/IPS in your internet gateway router (Suricata or Snort with the "emerging threats" rulebase).
     
  8. Todd Walter

    Todd Walter Limp Gawd

    Messages:
    410
    Joined:
    May 10, 2016
    The problem in this case is that the cloud servers are vulnerable (the cameras use them for relay mode) and attackers leverage that. Guess I'll finally firewall it. Sad thing is the Samsung stuff is still more secure than most. I've had security cameras come in with firmware so flawed you'd think it was deliberate... and I do.
     
  9. Biznatch

    Biznatch [H]ard|Gawd

    Messages:
    1,881
    Joined:
    Nov 16, 2009

    The article is about insecure IOT devices themselves. With search engines that just scrape all devices visible online, it makes it easy to automate scripts that attempt to exploit known vulnerabilities across a large number. The problem is, a lot of the devices have known vulnerabilities, or even worse, hard coded credentials in the firmware. In that case there is no way to secure it other than not allowing inbound traffic from the internet. But most people don't understand this, and I'm guessing manufacturers downplay the risk of port forwarding.
     
  10. YeuEmMaiMai

    YeuEmMaiMai Pick your own.....you deserve it.

    Messages:
    16,612
    Joined:
    Jun 11, 2004
    I have just enough IP address to handle everything that I want on the network and they are statically assigned to each device...
     
  11. Biznatch

    Biznatch [H]ard|Gawd

    Messages:
    1,881
    Joined:
    Nov 16, 2009

    Do you mean you have public IPs attached to all your internal devices?...... I hope not because that is a REALLY dumb idea.

    And if you don't mean public IPs, you have more private IPs available than you could use. You aren't limited to a /24, even a class A private can expand far beyond that. Static IP assignment by itself doesn't accomplish anything unless you're using it to create firewall rules for each device and blocking all other traffic.