Remember that web camera we wrote about recently that allowed the crooks to keep an eye on you while you were keeping an eye on them?
The device streamed its surveillance video over HTTP, leaving it wide open to eavesdropping.
As we pointed out satirically in a recent Chet Chat podcast:
The suits-both-sides security camera! […] At the same time that you’re keeping an eye on the crooks, the crooks can keep an eye on you, because it’s all open. What a fantastic idea for a security camera!
LISTEN NOW: Is that webcam *supposed* to be on the internet? [0’30” to 3’55”]
(Audio player above not working? Download MP3, listen on Soundcloud or access via iTunes.)
Here comes another fantastic idea for a security system… a hard-coded root password for the web interface!
CSO recently reported just such a programming disaster found during research by US company Risk Based Security (RBS), which looked into the firmware of a widespread brand of surveillance DVR.
DVR is short for Digital Video Recorder, which in this product range accepts connections from one or more video cameras, recording the separate inputs for security purposes, and allowing you to move and zoom the cameras remotely.
The affected products are managed, like so many Internet of Things devices, via a web interface.
💡 JARGON FREE: What is the Internet of Things? ►
If you’ve installed the DVR and its cameras in some remote location, like a warehouse out in the suburbs, or in the ceiling of the cricket pavilion, you may very well have linked the device to your home network by the simply expedient of connecting it to the internet.
In that case, you run the risk that anyone might connect to it, and try to guess your password.
In other words, you’d better choose a decent one.
💡 2 MINUTE TUTORIAL: How to pick a proper password? ►
Except that it doesn’t really matter what you choose, because the vendor helpfully programmed the device with a can’t-be-changed, visible-in-the-firmware root password.
So a crook can just login and change your password anyway.
Modesty forbids us from telling you what the hard-wired password is, but it consists of just six digits.
(To be fair, length and complexity are largely irrelevant for fixed passwords, because once someone knows it, everyone knows it, so you can just copy and paste it regardless of how long it is.)
Apparently, the vendor in this case sells its product for rebranding under many names, so we can’t give you a reliable list of the devices that might be affected.
But the RBS researchers used IoT “online device search engine” Shodan to look for devices that would probably accept the known password (probably because actually logging in to prove the point would be a legal minefield), and quickly came up with more than 36,000 hits.
WHAT TO DO?
Given the range of different brands that might be affected, it’s hard to give specific advice on how to find out if your device is vulnerable.
All we can suggest is trying your own surveillance DVR – not anyone else’s, OK? – to see if this particular password works. (We give in: it’s 519070.)
If it works, you’re in trouble; if not, you’re still not sure whether there’s a similar hole in your device, only with a different string as the password.
For that reason, until the IoT market matures and starts taking security seriously, we suggest that you keep these devices segregated on a subnetwork of their own, behind a firewall that only allows you to connect through if you login to a Virtual Private Network (VPN) first.
💡 JARGON FREE: What is a VPN? ►
That way, only pre-authenticated remote users can get access to the network on which your IoT devices accept their connections.
That will restrict the number of computers that can get close enough to those IoT devices to have at them to probe for security weaknesses like hard-wired passwords.
7 comments on “More IoT insecurity: The surveillance camera that anyone can log into”
At least it’s not 123456.
Ha ha or password
Lets give the device a “d” rating, it works but it’s not safe, so it’s “d”umb. I think everyone can read it no matter how it’s spelled if all the letters are there: dIoT
Your article is such an eye opener on this topic, I have recently been wondering how secure IoT is esp when used outside a VPN environment. Thanks for a great article.
Duck wrote “The device was outed at PrivacyCon, a security conference organised by the US consumer watchdog, for streaming its surveillance video over HTTP.”
This sentence desperately needs rearranging. I had to read it three or four times, to figure out that it wasn’t PrivacyCon streaming its surveillance video or a security conference streaming its surveillance video, or the US consumer watchdog streaming its surveillance video.
The prepositional phrase “for streaming its surveillance video over HTTP” as way too far removed from the noun (“device”) it modifies.
You’re right, despite the commas that clearly delimit the parentetical remark. I’m slimming it down…
…take a look now.