Someone’s watching your Big Brother

The profusion of cheap (and not so cheap) IP-enabled security cameras leave a few more security holes open than you might like.
20 March 2018

M​any readers will have noticed in the increasing number of IP enabled (often wireless) security cameras on the market. Typically these devices can be used as baby monitors, basic security systems, or to satisfy (at the cheapest possible rate) the stipulations of insurance companies.

Recent research from Kaspersky Labs has found multiple security flaws with some cameras, singling out models by Korean manufacturer Hanwha Techwin as particularly susceptible.

In its research, Kaspersky identified over 2,000 Hanwha Techwin cameras presently in use which are liable to attack by many relatively trivial methods. The circa 2,000 cameras thus found each had a private IPv4 address, and so were therefore easily accessible from the internet.

As many more devices are behind NAT-translation devices such as firewalls, they might seem to be much safer. But the way many IP-enabled cameras operate these days makes them prone to attack.

Rather than feed locally into a recording device (usually an array of hard drives), many cameras designed for basic use feed directly to (and are controlled by) third-party cloud services. Users access their cameras’ feeds and manage them via the cloud. But, if the cloud service itself, or traffic to and from the service, is not secure, then hackers do not need to gain access to LANs via gateway routers, for instance, to take advantage of exploits.

The embedded systems in some cameras communicate with their hosting cloud services with no level of authentication, as a single example, presenting a host of exploits. As well as intercepting cameras’ audio & video feeds, hackers can control cameras: turning off night vision, making devices tilt/pan, or even remotely “bricking” devices.

The baked-in on-chip camera OSs can also be exploited, deploying code which runs at root level inside the local area network. Hardened gateway devices and WiFi security are therefore simply circumvented.

The company involved, Hanwha Techwin, has been informed by Kaspersky of the vulnerabilities, which include:

  • Use of insecure HTTP protocol during firmware update and camera interaction via HTTP API.
  • An undocumented (hidden) capability for switching the web interface using the file “dnpqtjqltm” and buffer overflow in same.
  • Remote execution of commands with root privileges.
  • Remote change of administrator password.
  • Denial of service for camera.
  • No protection from brute force attacks for the cameraas admin account password.
  • A weak password policy when registering the camera on the server.
  • Attacks against users of bundled applications possible.
  • Communication with other cameras possible via cloud server.
  • Blocking of new camera registration on cloud server.
  • Authentication bypass of camera, with change of administrator password and remote execution of commands possible.
  • Restoration of camera password for the cloud account.

In response, the company issued a statement saying:

“The security of our customers is the highest priority for us. We have already fixed the camera’s vulnerabilities, including the Remote Upload and Execution of arbitrary malicious code. We have released updated firmware available to all our users. Some vulnerabilities related to the cloud have been recognized and will be fixed soon.”

Kaspersky recommends changing all default passwords on the internet of things devices. The company’s original report can be found here.

However, even a cursory glance at the reviews of some of the cheaper cameras on Amazon.com, reveals a number of real-life concerns raised by irate purchasers, including reports of being able to hear “Chinese voices” from cameras’ internal speakers. Caveat Emptor.