Security Flaw Can Turn Smart Cameras Into Spying Tools

rgMekanic

[H]ard|News
Joined
May 13, 2013
Messages
6,943
In a report from SecureList, Kaspersky Lab ICS CERT researchers decided to check how secure a popular smart cameras are. The testers looked at cameras from Hanwha Techwin, and found what they call "severe" security flaws. The team found nearly 2,000 cameras on the internet with a public IP address. The flaws can allow attackers to gain remote access to the video and audio feeds, remotely disable them, infect them with malicious code, or use them as an entry point to the network to make further attacks. Kaspersky researchers contacted the manufacturer, and several models have been patched already, with more on the way.

And the record skips again with the sound of me saying that the whole "Internet of Things" is a generally bad idea. You may not be concerned, thinking "Who is Hanwha anyway?" You may know the cameras better under the name of "Samsung."

For one, the attacker can remotely change the administrator’s password, execute arbitrary code on the camera, gain access to an entire cloud of cameras and take control of it, or build a botnet of vulnerable cameras. An attacker can gain access to an arbitrary SmartCam as well as to any Hanwha smart cameras.
 
Wait a second... are you trying to tell me that devices that connect to the internet have security flaws that can be taken advantage of for malicious purposes? Let me guess, now you're going to try and tell me cigarettes can cause cancer. Get outta here.
 
It has caused me to add this question to my list of questions to ask before buying something.

Does it have to be connected to the Internet to function? If the answer is "yes", then I do not buy it.

Consider:
Buying a television.
Buying a refrigerator.
Buying a toaster.
Buying a car.
Buying a toothbrush.
Buying a sex robot.

See, it works.

OT: Is anyone surprised by this?
 
It has caused me to add this question to my list of questions to ask before buying something.

Does it have to be connected to the Internet to function? If the answer is "yes", then I do not buy it.

Consider:
Buying a television.

Problem is most of this crap is now becoming standard, TVs in particular. I've only just started thinking about getting a new TV, but looking at all the cool new models I might want to try, so far they're all preloaded with all kinds of crap. Perhaps I won't need to connect it to the internet for it to function despite that but; it sucks paying for all that extra stuff when I already have my $80 Roku.
 
Standard Operating Procedure when it comes to internet connected devices..
Always remove default accounts before connecting that equipment to the internet. This includes even IP Cameras and recorders.
 
Problem is most of this crap is now becoming standard, TVs in particular. I've only just started thinking about getting a new TV, but looking at all the cool new models I might want to try, so far they're all preloaded with all kinds of crap. Perhaps I won't need to connect it to the internet for it to function despite that but; it sucks paying for all that extra stuff when I already have my $80 Roku.


The issue isn't just having a 'smart' device connected to the internet. These cams are most likely setup 'insecurely' using manufacturers guidelines which tell users to setup port forwarding on their routers. Then your only protection is whatever security is built into the device itself, which is typically shitty at best.

The fix is to stop setting up port forwarding for anything IOT..... If you need access to shit on your home network, then setup a VPN and connect that way. Otherwise this kind of stuff is going to happen.

I go 1 step farther and explicitly block all outbound traffic on the devices themselves. Only devices that actually require internet can get out.
 
...I go 1 step farther and explicitly block all outbound traffic on the devices themselves. Only devices that actually require internet can get out.
This. +1. +9999999.

Go even further - even IOT devices that "need" internet access are restricted to EXACTLY the endpoints and ports on that endpoint they need and attempts to go elsewhere are logged. Also, run a good IDS/IPS in your internet gateway router (Suricata or Snort with the "emerging threats" rulebase).
 
This. +1. +9999999.

Go even further - even IOT devices that "need" internet access are restricted to EXACTLY the endpoints and ports on that endpoint they need and attempts to go elsewhere are logged. Also, run a good IDS/IPS in your internet gateway router (Suricata or Snort with the "emerging threats" rulebase).

The problem in this case is that the cloud servers are vulnerable (the cameras use them for relay mode) and attackers leverage that. Guess I'll finally firewall it. Sad thing is the Samsung stuff is still more secure than most. I've had security cameras come in with firmware so flawed you'd think it was deliberate... and I do.
 
The problem in this case is that the cloud servers are vulnerable (the cameras use them for relay mode) and attackers leverage that. Guess I'll finally firewall it. Sad thing is the Samsung stuff is still more secure than most. I've had security cameras come in with firmware so flawed you'd think it was deliberate... and I do.


The article is about insecure IOT devices themselves. With search engines that just scrape all devices visible online, it makes it easy to automate scripts that attempt to exploit known vulnerabilities across a large number. The problem is, a lot of the devices have known vulnerabilities, or even worse, hard coded credentials in the firmware. In that case there is no way to secure it other than not allowing inbound traffic from the internet. But most people don't understand this, and I'm guessing manufacturers downplay the risk of port forwarding.
 
Problem is most of this crap is now becoming standard, TVs in particular. I've only just started thinking about getting a new TV, but looking at all the cool new models I might want to try, so far they're all preloaded with all kinds of crap. Perhaps I won't need to connect it to the internet for it to function despite that but; it sucks paying for all that extra stuff when I already have my $80 Roku.
I have just enough IP address to handle everything that I want on the network and they are statically assigned to each device...
 
I have just enough IP address to handle everything that I want on the network and they are statically assigned to each device...


Do you mean you have public IPs attached to all your internal devices?...... I hope not because that is a REALLY dumb idea.

And if you don't mean public IPs, you have more private IPs available than you could use. You aren't limited to a /24, even a class A private can expand far beyond that. Static IP assignment by itself doesn't accomplish anything unless you're using it to create firewall rules for each device and blocking all other traffic.
 
Back
Top