Friday, 16 August 2013

Baby Monitor Hack Shows Weakness of Networked Cameras

Image via Flickr user Roxanne Ready
In an unbelievably creepy story out of Texas, a hacker took control of a video-enabled baby monitor to spy on and shout insults at a two-year old girl and her parents. The harrowing experience has shaken up the victimized family, and underlines just how unsafe some of these networked products really are.
Reportedly, Marc Gilbert heard a strange voice coming from his young daughter's room. Upon entering he was surprised to discover it was coming from the video camera baby monitor he and his wife used to keep an eye on their deaf child. Thankfully, her deafness meant that she missed the litany of obscenities the hacker spouted at her, Gilbert, and Gilbert's wife Lauren.
The Gilberts were using a Foscam camera setup, and had even changed the default passwords. What they didn't know was that their device had a known vulnerability, revealed back in April.
Foscam had already released a firmware patch for the camera, but that required consumers to download it themselves. Once a product is on shelves, it can be difficult if not impossible to inform consumers that they might be at risk.
We've Seen This Before
At Black Hat 2013, SecurityWatch was floored by a Tactical Network Solutions demonstration on similar cloud-enabled cameras. In fact, it was one of our top ten scariest stories from Black Hat.
During the demo, researcher Craig Heffner showed a stunned audience how they could not only feed a static image back to a camera in that famous heist movie maneuver, but use a hacked camera to attack networks. "I'm in your network, I can see you, and I'm root," said Heffner during the demo. "Not a bad position! I have root-level control of a Linux-based machine inside your network."
The really scary part? Security problems on cloud cameras aren't just limited to Foscam or even the ones Heffner used in his demonstration. When asked which cameras were susceptible to such attacks, Heffner quipped that he'd yet to find a camera he couldn't hack.
How to Stay Safe
This is tricky because as Heffner demonstrated, the technology used to secure these cameras is full of holes. Gilbert seems to have done more than most users and changed the default password—a surprisingly frequent avenue for attack.
The best advice we can offer is to carefully evaluate whether or not you really need networked cameras. Having the devices online is certainly convenient because you can check on them from anywhere, but it also leaves them wide open for attack. If cameras are a must-have in your home or office, consider closed-circuit models or ones that aren't exposed to outward-facing network connections.
Also, look to see if the camera has any firmware updates. Remember, the company might not always tell you when they push out such patches, no matter how critical they might be.
As we hurtle toward the brave new world of the Internet of Things, where everything from pacemakers to telephones are connected to the Web, stories like this are a sobering reminder that a digital life needs to include digital security.

No comments:

Post a Comment