back to article Sigh... 'Hundreds of thousands' of... sigh, web CCTV cams still at risk of... sigh, hijacking

Amid ongoing malware infections of IoT gadgets and armies of commandeered gizmos attacking server, glaring security holes in web-connected CCTV cameras are going unpatched. So say researchers with Cybereason, who claim a pair of high-profile vulnerabilities they spotted in surveillance cams two years ago have been completely …

  1. J. R. Hartley Silver badge

    This is bad

    And it's going to get worse before it gets better.

    1. Anonymous Coward
      Anonymous Coward

      Re: This is bad

      Bigley!

    2. Mark 85 Silver badge

      Re: This is bad

      As long as there's no motivation from the manufacturers, it won't get better. Given what we've heard and seen from governments... don't expect motivation from there. Same from customers. No pressure anywhere to fix this crap or make secure crap.

    3. allthecoolshortnamesweretaken

      Re: This is bad

      Are you channeling LBJ?

  2. G R Goslin

    That's all very well...

    ... but to the ordinary user, it's just scaremongering. What he needs, (as I do) are lists of possibly affect-able kit, and tools to establish whether or not they have been compromised. If they cannot be fixed, I'm sure that most people with one of these will just junk it. After all, we're not talking about expensive kit. What we have here, is part of the mushroom culture. kept in the dark and fed bull...it.. If the likes of the people raising this issue can point the finger, why cannot we, the pointed at come to the same conclusion?

    1. Allan George Dyer Silver badge

      Re: That's all very well...

      "If they cannot be fixed, I'm sure that most people with one of these will just junk it."

      Why? Even if they see the warning, as long as it's still functioning, many people will just keep using it, completely unaware or uncaring of the DDoS or other nastyness running in the background.

  3. Anonymous Coward
    Anonymous Coward

    Thank you!

    [target acquired] blanket scans of all open systems in progress...

    Nothing to see here. Everyone just do what you've been doing. No need to update anything at all. This is just what I was looking for.

    Thanks again!

  4. Marketing Hack Silver badge

    Nothing will be done...

    Until an army of infected IoT devices actually starts getting noticeable numbers of people killed, or shuts down major parts of the economy. Otherwise, retailers and IoT crapmerchants will lobby their way out of regulations and liability.

  5. Anonymous Coward
    Anonymous Coward

    IoT devices need a universal logo

    Then they can be easily avoided.

    1. Mark 85 Silver badge

      Re: IoT devices need a universal logo

      Maybe a "steaming pile" would do. I think there's an emoji which might be a start.

    2. Brian Miller

      Re: IoT devices need a universal logo

      Anything that connects to the network is an IoT device, and thus exploitable. Heck, even USB sticks can be exploited.

      There seems to be a race on to produce the smallest bit of hardware with a network interface. Mind you, it doesn't take much to have an IP network running. And first the whole computer wasn't much larger than an RJ45 jack, and now you get a wireless computer the size of a dime. You want to try and avoid that? The things are everywhere.

      Really, any kind of certificate, except "No electronics inside," is useless. As long as it can be reached through the network, and it can't update itself, it's basically screwed. Really, I wonder why OpenBSD isn't available in an embedded distro.

      1. John H Woods

        Re: IoT devices need a universal logo

        "Really, I wonder why OpenBSD isn't available in an embedded distro" -- Brian Miller

        Isn''t this what tools like flash-rd do, generate OpenBSD images for embedded devices? Personally I don't understand why the IoT manufacturers don't start with something like OpenWRT.

  6. This post has been deleted by its author

  7. druck Silver badge

    OpenCAM?

    What's needed is the camera equivalent of OpenWRT for routers, allowing the vulnerable firmware to be replaced with something more secure - as long as the camera has re-programmable flash.

    1. John H Woods

      Re: OpenCAM?

      Some people are already working on this, e.g. https://blog.tho.ms/hacks/2016/08/28/openwrt-on-logilink-wc0030a.html. It seems a promising approach.

      Maybe a partial solution to IoT devices is that manufacturers must make the devices user-modifiable the moment they stop supporting them (which in many cases is the moment they leave the factory).

  8. Anonymous Coward
    Anonymous Coward

    What is meant by "internet facing"

    The common use case is that people add these cameras to a WiFi network that is connected via a router to the Internet. Being able to hack the camera from the LAN side, which is what the video seems to demonstrate, is of course a major vulnerability, but the real-world problem most people face is attackers getting to the cameras from the WAN side.

    I possibly haven't had enough coffee yet this morning, but how do you find a Vstarcam behind a NAT and send it one of these packets if you haven't hacked the cloud protocol?

    1. elhvb

      Re: What is meant by "internet facing"

      "Below is a video showing how easy it is to exploit an at-risk, internet-facing surveillance camera remotely."

      keyword: internet-facing. And there's many of them. Not in people's homes but used for crossings etc. Because: oh that's easy to use if can be accessed from anywhere...

    2. Dwarf Silver badge

      Re: What is meant by "internet facing"

      @AC

      See the thread about a month ago which explains how devices can be compromised from behind home NAT routers.

  9. lukewarmdog

    hack them first

    If we accept that these devices are eminently hackable and that at some point they're going to be used for bad things, can't the good guys hack and disable them for the greater good?

    We've seen some big DDOS taking out chunks of the Internet very simply. As people add more crap, the chunk size and duration of the DDOS is just going to increase.

    Not sure if I feel it's unethical to bork everyones wifi camera / printer / dongle / etc. but then I think about the greater good. And then I think.. who cares if people can't play wow over Xmas, who cares about all the poor lolcat videos that won't get watched. It would even be a bonus if Trump couldn't tweet and / or I couldn't read about his tweets over the festive period.

    And in some ways maybe THAT is the greater good, with no Internet, people can socialise, read books, play out in the snow on that new bike they got for Xmas. And then I think about having to socialise with my in-laws and I'm back to needing the Internet to protect me over the holidays.

  10. wolfetone Silver badge

    Like I said to the British Gas man who was trying to sell me that "Hive" automated thermostat thing: "If I can change the heat in my house from my phone when I'm at work, someone else can do that to my house too".

    So while I plan on putting CCTV in my home, it'll be on a device that can only be accessed in the home and not connected to the internet. That's literally the most secure way to run these cameras.

  11. Dwarf Silver badge

    In the mean time

    If you must have an internet connected widget, then put it behind OpenVPN and accessing it via that, then at least you have a decent security perimeter, irrespective of the defects in the Internet of Tat devices

    Admittedly this isn't the sort of thing the average consumer will do, but its cheap as you probably already have a spare Raspberry Pi lying around and the major App stores have the OpenVPN clients available.

    Part of the problem is that people see a widget and think "that's cheap, I'll get one". Never in their thought process do they consider its network access requirements or security impacts. Obviously this in turn leads to the race to the bottom on cost with competing vendors, so things get worse.

    I think that all of us as more technically aware people need to be educating our friends, neighbours, etc. so that they understand the risks and perhaps will think twice next time before they purchase the next shiny widget they see.

    Fully agree with the other posters that we need a minimum bar for any connected device. Also interested in the OpenWRT or equivalent approach, but I expect that the "built to a price" issue means that the devices will have virtually no internal storage and reverse engineering the devices to get things functional will be problematic - just like it was when WhiteRussian first came out.

  12. ukgnome

    let's cluster these all together and create a terrifying all seeing computational menace.

  13. Colin 29

    "Good" manufacturers?

    So are there any manufacturers providing decent cameras with regular security updates?

  14. Stevie Silver badge

    Bah!

    I know I'm feeling the strain when I find myself reading this article and thinking "couldn't that nice Mr Trump just order the NSA counter-geek-geeks to run a massive program to pwn-and-brick these threats to national cybersecurity?"

    If the devices stop working, and do so when replaced, eventually the buyer will beware on their own.

    Because warnings of a nebulous intrenet-borne threat are incomprehensible and therefore ignorable by the vast majority of normal people.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019