One of the world’s largest threat intelligence research groups, Cisco Talos, recently discovered scores of vulnerabilities in Google’s Nest Cam IQ indoor camera. Cisco Talos identified multiple exploitable problems with the IP security camera. The vulnerabilities were linked to Weave, the protocol Nest relies on to enable users to configure and establish initial communication of the device. The vulnerabilities could allow an attacker to carry out a range of attacks, from denial of service, code execution or information disclosure. An adversary could also seize control over the affected devices.
What that news means about the current state of security for IP cameras, however, is difficult to ascertain at first glance. And seemingly conflicting information is rampant. Here, we provide several fundamental conclusions about the current state of IP camera security.
IP Cameras Continue to Be Vulnerable
Internet-connected cameras deserve special consideration with the regularity they are used in ways users likely didn’t anticipate. IP cameras played a starring role in the Mirai botnet in 2016, a DDoS attack that shut down a chunk of the internet. While some manufacturers of such devices share part of the blame given their failure to prioritize cybersecurity in the development of the products, another element is users’ reliance on default usernames and passwords. The Mirai botnet, in particular, homed in on the tendency of many web cameras, DVRs, routers and other devices to use default passwords. Many users of such devices contribute to the problem given their propensity for using and reusing insecure passwords. Manufacturers of such devices can force users to change such passwords after the first use.
Another consideration, however, is the possibility for security cameras, and other IoT devices, to use a default username and password that are not exposed to the user, according to Asaf Ashkenazi, chief strategy officer at Verimatrix. This log-in info could enable an attacker to open a remote shell. “In some cases, it seems that OEMs intentionally use the same default password for all devices, because it reduces manufacturing costs, and likely to reduce customer support calls,” Ashkenazi explained.
“If you look at the vendors in IoT, they have two things that are very problematic,” Ashkenazi said. “They have pressure to decrease their time to market. They need to beat their competitors, or to be at least at the same time when they go out with a solution.” They also have cost constraints. “If you look at the different ‘things’ that are connected, whether it is a light bulb or a toaster, consumers expect what those products should cost,” Ashkenazi said. The price of many connected devices continues to fall, leading Cnet to declare, recently: “The era of the $200 security camera is over. This $20 alternative is impressive.” That may be the case, but it is likely that the manufacturer of an inexpensive security camera offers little in the way of security.
While consumers tend to get upset upon reading about a compromised security camera, the buying public rarely considers security as a buying factor, Ashkenazi said. “We certainly look at the price and sometimes performances and product reviews.” Consumers’ priorities eventually dictate the priorities of IP camera manufacturers. Still, Ashkenazi acknowledged that it is often difficult for consumers to ascertain if one particular product is more secure than another. “I hope that in the future, product reviews published by leading consumer magazines will not only focus on performance and user experience but will also rate the security of the products they review,” Ashkenazi said.
The Media Tends to Love Hacked Camera Stories
Articles about hacked cameras are often attention-grabbing. For evidence of that, look to stories from this year describing the tale of nuclear attack hoax perpetrated via a Nest security camera speaker or a Forbes article declaring millions of Chinese cameras “can be hacked to spy on users.”
Stories about hacked cameras can stir primal emotions. “But I don’t think that [IP] cameras are fundamentally different from other smart devices,” Ashkenazi said. A consumer with a connected toaster — or a printer — for that matter might shrug off the risk of such devices. “But it’s not always about [the devices in themselves],” Ashkenazi said. But consumers — and enterprises — with unpatched networked devices are at risk, no matter what type of device they are. “Let’s say you didn’t update your printer. Nobody remembers to update their printer.” If your firmware has a known vulnerability, like the openSSL-based Heartbleed, attackers can easily take advantage of the situation to other devices in your local network. “In some cases, they can do it without knowing cracking your Wi-Fi password,” Ashkenazi said. An attacker might not need to overcome the latest Mac OS or Windows security protections to access files visible to the local network. “They can just use that compromised printer to access other devices connected to your internal network,” Ashkenazi said.
Who Is (Not) Looking Through Your IP Camera?
When you use an internet-connected camera or a computer or smartphone with an integrated camera, there is a risk of someone else looking in. That person doesn’t have to necessarily be a “hacker.” According to The Guardian, popular smartphone apps such as WhatsApp, Facebook, Snapchat, Instagram, Twitter, LinkedIn and Viber ask users to grant access to their camera and microphone. That makes it possible for the app to access both of the phone’s cameras.
The security ramifications of web cameras are, by no means, limited to hacking. Spend enough time on Shodan.io, an IoT search engine, looking for popular web camera names such as “webcamXP” and you can see how easy it is to pull up random video feeds. You can click on links and see footage from city centers, retail stores, boating docks and domestic settings. Some previous media coverage describing hacking of IP cameras highlighted victims who used unsecured credentials – often default usernames and passwords
If you installed the popular Ring camera, for instance, you may not have been fully aware that using the device grants Ring, and by extension Amazon and any of its licensees “an unlimited,” “irrevocable,” “perpetual” and “worldwide right to reuse, distribute, store, delete, translate, copy, modify, display, sell” your video footage. The company’s terms of service also give Ring the authority to “create derivative works” from your footage “for any purpose and in any media formats in any media channels without compensation to you.”
Nest’s policy for video footage appears to be narrower than Ring’s: “Your camera sends video footage to Google only if you or someone in your home has explicitly turned the camera on or enabled a feature that needs it,” explains its terms of service.
Earlier this year, Nest faced backlash after it admitted it failed to disclose that its Nest Secure home security device contained a microphone. The inclusion of the on-device microphone “was never intended to be a secret and should have been listed in the tech specs,” read a statement from the company.
The Nest terms of service describe the possibility of users consenting to interface Nest products with third-party products and services, and state users must agree to have their device automatically install updates. One recent update did away with the ability of users to turn off an LED status light that illuminates when a Nest camera is recording. It also states that the company could have access to content, including video footage that the company uses to “provide, maintain and improve the Services.”
While Ring’s terms of service cover virtually any use, a handful of use cases have become public knowledge. For one, Ring gave developers in Ukraine access to its cloud-hosted unencrypted videos to enable developers to study them to help train its computer vision algorithms, according to The Intercept and The Information.
Ring is also sharing video footage with more than 400 police forces in the United States via a program known as “Neighbors,” a neighborhood-watch-like service. In a blog post, Ring Chief Executive Officer Jamie Siminoff wrote: “Neighbors and local law enforcement have achieved amazing results by working together through the Neighbors app, from getting stolen guns off the streets to helping families keep their children safe, and even recovering stolen medical supplies for a diabetic child.” The Electronic Frontier Foundation, on the other hand, has an opposing viewpoint. “By sending photos and alerts every time the camera detects motion or someone rings the doorbell, the app can create an illusion of a household under siege,” wrote EFF policy analyst Matthew Guariglia in a blog post. “It turns what seems like a perfectly safe neighborhood into a source of anxiety and fear. This raises the question: do you really need Ring, or have Amazon and the police misled you into thinking that you do?”
Just Because Hackers Can Spy Through IP Cameras Doesn’t Mean They Are
Judging by the amount of tape, Post-It notes, stickers and other devices plastered on top of laptops, the public has developed a degree of paranoia regarding webcams. An HP survey found 79% of respondents in the United States were aware of the risk of a stranger looking in on them via a webcam. Six out of 10 respondents said they covered up their web camera – with tape or something similar – when it was not in use.
Responsible Disclosure Is a Good Thing
The recent disclosure of a string of vulnerabilities related to a Nest security model highlights how responsible disclosure can work. Cisco partnered with Nest and Weave to ensure the problem was addressed before Cisco Talos announced the vulnerabilities. According to Nest, affected cameras with an internet connection would be automatically updated to address the recently disclosed vulnerabilities.