IP Cameras - Who's watching you?

[exile360]

I just saw this rather disturbing video on YouTube.  It's a talk from a speaker at Black Hat 2013 documenting his discovery that virtually every IP camera whose firmware he has been able to get his hands on has proven to be extremely vulnerable to attack and remote hijacking by anyone even remotely knowledgeable in basic web scripting in most cases, and unfortunately it looks like little has changed in the years since as most vendors either aren't aware as they're using copied firmware from other vendors and because most users never update their firmware for such devices.  Unfortunately most of the exploits he describes are actually hard-coded into the firmware of these devices so no amount of proper password security and secure setup will render them immune to remote access and hijacking.  It's a 33 minute video, but I highly recommend watching it as he does an excellent job of explaining how it all works and why it is so widespread and unlikely to be fixed.  For reference, his talk took place in 2013 and the initial vulnerability was actually reported way back in 2011 and at the time of his talk, the majority of vendors still had not done anything to patch the vulnerabilities:

For more recent news on the subject, please refer to this article from 2017; just 2 years ago which cites many of the same vulnerabilities as still existing at the time across many devices as validated and reported by AV-Test whose original writeup on the subject can be found here.

A more recent report on the issue, this time from just last year can be found here and data pulled from Shodan listing vulnerable as well as already hacked/backdoored cameras can be found here, though be advised they may possibly be biased as they are also promoting certain brands/products via their own camera search/recommendation page/tool, though they do seem to be more of a general surveillance resource than an actual promotional/SEO affiliate type site (i.e. they appear to have real content, not just scare tactics etc. to promote sales) but a grain of salt is still advised and I'd recommend doing your own research if you aren't sure about your own cameras if you have any or if you are considering purchasing any.

This highlights the ongoing issues with relatively insecure IoT devices across the net and the world, with cheaply manufactured products using poorly written software and firmware, yet designed to have total access to and control over many things in our daily lives to make things more secure or more convenient, we've let these devices into our lives, into our cars, into our places of business and even into our homes.  Some people even use online baby monitors which, just as with the IP cameras, are somewhat notorious for poor security and vulnerabilities meaning you may not be the only one keeping an eye and/or ear on your children (and such devices also come in super handy for any would-be burglars who want to determine when you aren't home and what your daily schedule is to know when you're likely to be away for long periods of time, as well as how to get in and the general layout of the place (in the case of cameras in the house and outside), as well as potentially where many of your valuables may be kept, and if vulnerable, they can twist these devices to their own purposes and conceal their nefarious actions from you, making it appear that everything is completely normal while they ransack your home).

Malwarebytes Labs recently did a series of articles on the subject of stalkerware and the role it can play in domestic abuse situations, leaving their mark long after the abuser is out of the home of the victim, and vulnerable IoT devices and even devices where the victim has simply failed to remove, replace or at least change the access codes/usernames/passwords to can also be exploited for this purpose, potentially giving an abuser full access to monitor and potentially further psychologically torment their victims.  In fact, CBC did a rather startling report late last year on this very subject discussing vulnerable IoT devices and the dangers and risks they can present and you can view it on YouTube below:

Just some food for thought.  It's scary that devices we may be using to make us feel more secure could be the very things exposing us to the greatest risks.

[John L. Galt]

It's the state of IoT (something that has not made it into my house, and never will while I am alive and maintaining my networks).

it's actually one of the reasons I'm quasi-hopeful about the Broadcom acquisition of Symantec.....not very hopeful, mind you, but there is a kernel there....

[gonzo]

Just wait until your toothbrush chases you around the house, demanding the opportunity to serve you.

[nukecad]

3 hours ago, gonzo said:

Just wait until your toothbrush chases you around the house, demanding the opportunity to serve you.

 The nagging toothbrush is already here:

https://shop.colgate.co.uk/pages/e1

'Bluetooth' is a bit of an unfortunate description for a toothbrush.

Edited August 27, 2019 by nukecad

[exile360]

What, you got somethin' against Smurf teeth?  Pfft, anti-Smurfite!

 

[nukecad]

If you want Bluetooth technology (for smurfs or others):

Quote

That’s why Colgate Total Advanced Visible Proof toothpaste is designed with unique colour change technology – .when you brush, the white foam turns blue.

https://www.colgate.com/en-gb/products/toothpaste/colgate-total-visible-proof-toothpaste

There can be only one question - Why?

[David H. Lipman]

16 minutes ago, nukecad said:

There can be only one question - Why?

Gimmicks promote sales ( but not efficacy ).

[exile360]

Great, so it dyes your teeth and mouth blue.  Geez, just what I frickin' need, to look like a frickin' Smurf.  I hate those little blue buggers!

Please refer to this post for context, thanks