Trend Micro, a cybersecurity solutions provider, recently reported that it blocked ~5 million hacking attempts of IP-connected cameras in just the last 5 months. This means that a hell of a lot of people are trying to hack into Internet-connected cameras. But why?
Well first of all, it’s pretty easy. Check out Shodan.io—a search engine that allows anyone and everyone to search for Internet-connected devices. Then check out the top voted searches on Shodan—you’ll see “webcam,” “cams,” “netcam,” etc. My quick search of “default password” brings up the IP address for a device showing the banner information: “Enable and Telnet passwords are configured to "password". HTTP and HTTPS default username is "admin" and password is "password". Please change them immediately.” Think the owner changed “admin” and “password” immediately? Shodan is supposed to be used by ethical hackers, but it is used by security researchers, pranksters, and hackers alike, even just to share and laugh at the most extreme cases of vulnerability.
Once the hacker has access to a connected camera, there are numerous uses that the hacker may want for himself or can sell to others. There are large marketplaces for connected-cameras where hackers sell access to cameras by type of content, physical environment, viewpoint, etc. sometimes as streams and other times as recordings. For instance, connected cameras around the halls of your business can help a hacker conduct research for a spear phishing attack or exfiltrate confidential information. A hacked camera pointed at a point-of-sale system or capturing a keyboard can yield payment card information, financial account credentials, or passwords. Your cameras or other devices may also get aggregated as part of a bot network, then rented out for other hackers to use for brute force purposes, distributed denial of services attacks, or even for cryptojacking—using your device’s computing power and your electricity bill to mine bitcoin (or other cryptocurrencies). Finally, any connected device, regardless of the data yield (e.g. video feed), is a potential entry point into your network. One famous war story includes hackers infiltrating a casino’s network through the connected-thermostat in a fish tank. There are a number of other more nefarious and voyeuristic uses more specific to connected-cameras and what they are streaming.
The bottom line is that the Internet of Things (IoT) device vulnerability is real. If a device is on your network, or an employee’s device is on your network, it is a vulnerability and must be safeguarded pursuant to your information security program. California recently passed SB 327 in an attempt to regulate minimum security standards for connected devices. Attackers will target anything with an IP address that may have a default username and password, or where credential stuffing will work—using credentials obtained from other security breaches to see if you are using the same username/password combination. More sophisticated hackers will use brute force attacks, which is when the hacker automates trial and error login attempts at a rapid pace until a combination works. Even if a manufacturer is forcing a credential change upon connection, many IP-connected devices lack security precautions that defend against brute force, such as locking an account after several failed login attempts made in quick succession.
Trend Micro’s numbers imply that the demand for and value of hacked IoT cameras are increasing exponentially and one has to imagine the surge will continue as they become more commonplace along with other connected-devices. Including connected-devices in your information security program is key.
"HTTP and HTTPS default username is "admin" and password is "password". Please change them immediately.” - random connected device's information banner