What if your security camera were an insecurity camera?

An occasional security blogger named someLuser, who has an interest in embedded devices, recently wrote up the results of some hacking he did a security review he carried out on a popular brand of network-enabled security camera.

His report was picked up in turn by the Metasploit team, who confirmed and clarified someLuser‘s discoveries.

You should head to someLuser‘s post for the technical detail, and for some interesting photographic insights into the sort of inquisitiveness you need to investigate embedded devices, but here’s a very brief summary:

  • You can remotely persuade the device to reveal usernames and passwords for the administrative console.
  • You can remotely persuade the device to run a command shell and connect back to your computer so you can control it.
  • If it can, the device uses Universal Plug and Play (UPnP) so it is accessible even from outside your network.

Obviously, security cameras with security holes (especially those that record and store footage for later use) represent a rather thorny privacy problem.

A buggy web database may leak “life metadata” about you, such as your birthday, your phone number, or enough information to let someone guess the answers to your secret security questions.

But a leaky surveillance device may reveal physical details about you and your actual life. Live on camera, if that’s not stating the obvious.

You won’t be alone if you feel that’s even more chilling than having a crook try to spend your money. You can often get your money back from your financial institution; you can’t get your personal privacy back once you’ve been under someone’s prying eyes.

What can you do about this?

In the immediate term, as the Metasploit guys point out, putting your organisation’s security cameras behind a traditional connection-filtering firewall is a good start. Block inbound connections to your cameras and they can’t be attacked remotely.

If you’re able to operate your cameras on their own internal network or VLAN, and segregate it from the rest of your internal network, you’ve isolated any potentially vulnerable surveillance devices still further from compromise. In fact, you probably want to do this anyway, even if you don’t think your cameras are remotely exploitable.

The problem in this case, especially for home or small business users, is UPnP.

Plug-and-play is the generic name, in software and hardware, for the protocols that make it easier to connect stuff up and to get it to work.

As you can imagine, convenience of this sort is often the enemy of security, because it can make it too easy to get devices and servers going, and may expose them online much more widely than you expected.

Many consumer and small business routers – the hardware that sits between you and the internet to keep them apart – support UPnP by default. One peculiarly dangerous UPnP feature automates the process by which a computer outside your network can connect to, and interact with, devices inside.

Modern networks usually use NAT, or Network Address Translation. This is the system that lets several PCs share one internet connection, and was introduced nearly 20 years ago to make IP numbers (which are only 32 bits long in IPv4) go further and last longer.

One side-effect of NAT is that it makes it easy for computers to connect out, but impossible, by default, for outsiders to connect inwards.

This happens because the NAT router doesn’t know, when an incoming connection arrives, which of your internal computers to connect to. (Telephone receptionists on your switchboard can answer calls, but can’t put them through to a specific person unless they have an internal directory handy. Same sort of problem for a NAT router.)

NAT, therefore, offers you a little bit of extra security against intrusion, but you get that security as a side-effect, not by design.

And UPnP includes a protocol that allows internal devices, your router, and outside parties to negotiate their own connectivity automatically. The switchboard operator (with or without an internal directory) is cut out of the loop, and incoming calls can find their target automatically.

For this reason, you almost certainly don’t want UPnP enabled on your router.

Turning it off will reduce your attack surface area dramatically, security cameras or not.

Fancy using the free Sophos UTM Home Edition?

You get web and email filtering, web application security, IPS, VPN and more for up to 50 IP addresses.

Yes, it helps you keep outsiders where they belong, on the outside!

(Note: registration required.)

Image of security camera courtesy of Shutterstock.