There has been quite a bit in the media lately about consumer grade webcams and Internet of Things (IoT) devices being used as a springboard for DDoS (Distributed Denial of Service) attacks on popular web services. This post is more aimed at the general consumer as opposed to those who deal with IT in their day to day work in order to give a bit of guidance on what to do to secure baby monitors and webcams available on the market from being used in a DDoS attack and also being viewed by a 3rd party.
If you really want to scare yourself with just how wide open many devices are then you only have to do a quick search on Shodan to reveal thousands of devices hooked up to the net that are identified as webcams, paired with a quick Google of the default credentials it is scary to see how many devices are vulnerable to being viewed remotely. To make matters worse, the fingerprint of the device can be identified to work out which Operating System (OS) it’s running allowing an attacker to exploit known vulnerabilities with that specific OS. Some devices also fail big time as they have ‘backdoor’ credentials meaning that even if the default username and password are changed there is some undocumented account that will grant access anyway. This could normally be solved by patching the device as soon as the vulnerability becomes known to the vendor but unfortunately most of the vendors I’ve seen appear to abandon upkeep of their devices once released to keep costs down. This unfortunately puts the responsibility for security on you, the consumer.
Rapid7 has a very good case study where they prodded and poked at popular baby webcams, but if you want to test your own security then head over to shodan.io and simply search for your public IP (you can find this here) and see what comes up. Even if you’re clean, I’d still suggest the five steps below to ensure you’re as secure as you can be:
#1 – Don’t use internet connected webcams if you don’t need to. While lower tech monitors still have their vulnerabilities, these are confined to being hacked within the physical proximity of your home – a internet connected device however can be accessed from anywhere
#2 – If you do need to, then power off the camera when not in use or cover it with tape (this goes for the webcam on your laptop too)
#3 – Change the default username and password immediately. If the device doesn’t allow this then return it any buy something from a more reputable manufacturer
#4 – Update the firmware of the device and any phone app used to access it – also ensure you’re regularly remembering to check for updates (or better yet, enable automatic updating if available)
#5 – Look for cameras that use HTTPS for logging in, rather than HTTP, allowing for encryption of any credentials you enter as well as encryption of the video feed
Scarily it is becoming more common that devices are being connected to the ‘Internet of Things’ with little or no thought to security and I expect if vendors don’t take this seriously then we’ll continue to see very public attacks either on or from these devices.