Serious vulnerabilities discovered in IoT-based surveillance cameras

Smart security cameras manufactured by global brand Hanwha Techwin have been discovered to be vulnerable to remote attacks, exposing even the other devices on the network to security threats.



Lack of security in IoT devices is becoming a major concern as vendors and users push to deploy increasing connected solutions in both the enterprise and home space. Researchers from Kaspersky Labs have found security flaws in popular smart camera devices used for surveillance which can be exploited by hackers to launch attacks.

In total, 13 bugs have been uncovered in the SmartCam range of IoT cameras made by South Korean company, Hanwha Techwin, a global player in surveillance and weapons systems. Although Hanwha Techwin is working to patch the vulnerabilities, the incident has once again exposed security flaws in IoT devices.

A few of the vulnerabilities found in the cameras include use of insecure HTTP, root privilege remote command execution, and no protection from brute-force attacks for the camera’s admin password. Researchers say that the vulnerabilities can enable hackers to steal information, spy on the users, and even use up its computing for mining cryptocurrencies.

Makes the entire network vulnerable

The discovered vulnerabilities include the use of insecure HTTP communications protocol and weak safety of credentials. These could easily allow an attacker to take control of the devices or even launch attacks within a connected network using them. As a prerequisite, attackers need the serial number of each camera being attacked, which the research found relatively easy to steal.

“The way in which serial numbers are generated is relatively easy to find out through simple brute-force attacks: the camera registering system doesn’t have brute force protection," stated Vladimir Dashchenko,  researcher at Kaspersky Labs' ICS CERT Vulnerability Research Team.

One of the most serious discoveries is when an attacker can root the camera and spoof the DNS server addresses in the camera’s settings. This can then be converted into a launch pad for further attacks on devices sharing the same local network.

"For one, the attacker can remotely change the administrator’s password, execute arbitrary code on the camera, gain access to an entire cloud of cameras and take control of them, or build a botnet of vulnerable cameras. Another example of a dangerous vulnerability in this smart camera is in the cloud server architecture. Because of a fault in the architecture, an intruder could gain access via the cloud to all cameras and control them," says Dashchenko.

Security challenge with IoT devices

The report has come just after security and privacy issues are being discovered in a wide range of consumer smart devices, including Amazon’s Alexa, proving that IoT security is a growing challenge among both vendors and consumers.

“The problem with current IoT device security is that both customers and vendors mistakenly think that if you place the device inside your network, and separate it from the wider internet with the help of a router, you will solve most of the security problems – or at least significantly decrease the severity of existing issues,” said Dashchenko.