According to numerous recent studies the market for internet-connected security devices is increasing and will continue to do so in the near future. There has been an increase in overseas companies, particularly in China, that are manufacturing inexpensive security products such as cameras to meet the growing consumer and business demand. These cost-effective devices are certainly an attractive option to many, who may not otherwise be able to afford the buy-in for even a mid-range solution. However, it is becoming clearer that these kinds of low-cost devices could create more security risks than they solve.
While not directly business related, the story of a South Carolina mother highlights the potential problems inherent in the expanding Internet of Things (IoT) security device marketplace. In an interview with ABC News, Jamie Summitt detailed the fallout from her family’s use of a $34 Fredi Wireless 360-degree motion baby monitor system. The camera was positioned so she and her husband could monitor their 3-month-old baby while he slept in his bassinet. The camera sent the video feed over their Wi-Fi connection, where they could check in on their son via an app on their phones.
One day, while feeding her baby in a chair near her bed, she noticed the camera swiveling between the bassinet, the chair, and her bed. She figured it was her husband checking in on them while at work. However, it became clear that the device was hacked when both she and her husband – the only people with access to the camera – were sitting and eating dinner together while the baby slept upstairs. Neither of them was controlling the camera, yet it panned from the bassinet, over to their bed, and then back to the bassinet.
They reached out to the North Charleston Police Department, who sent an officer over to investigate. When the officer entered the bedroom where the camera was located, Summitt assumes that the hacker was monitoring the device. The camera’s app stopped working and pushed an error notification citing “insufficient permissions.”
Should IoT Devices Be This Connected?
While Summitt admits that she and her husband should’ve done more research, they did follow some basic recommended security protocols, such as changing the device’s default login and password to something more complicated. However, this doesn’t seem to have been enough to thwart the hacker. In a conversation with Threat Post Rick Moy of cybersecurity firm Acalvio notes that “the influx of inexpensive internet-connected camera products from China makes it extremely difficult for average consumers to evaluate anything beyond basic functionality.”
Moy suggests (rightfully) that the backend of many of these devices is basically a black box, and that without “better transparency” it’s unlikely that we can truly know how secure the device is, or even who else has access to the device’s output.
This is not the first time this year major vulnerabilities have been discovered on a security camera. In March, researchers with Kaspersky Labs discovered flaws with a camera produced by Hanwha Techwin that allowed a hacker to take control of the device. A cybersecurity research team from Ben-Gurion University of the Negev (BGU) were able to easily hack several off-the-shelf security devices through minor reverse engineering tweaks.
One way to ensure that these devices stay secure is to keep them entirely offline, unless there is an absolute necessity. Speaking to Threat Post, Mike Banic, vice president of cybersecurity developer Vectra suggests “air gapping” these kinds of IoT devices. In this instance, the security camera would still be on a home network, but, disconnected from the internet. Banic states that “checking on a baby from another room of the house doesn’t require internet connectivity.” An air gap “would ‘unplug’ the persistent connection that the attacker had to the baby cam.”
The same would hold true for a business use case as well. Keeping IoT devices, especially security cameras, on an air gapped network would prevent threat actors from disabling them, or, from using them to access protected information such as network user login credentials.