Security vulnerabilities in hundreds of thousands of closed-circuit cameras in use around the world are so severe that they simply should be thrown in the trash, a Boston-based cybersecurity firm said Tuesday.
The vulnerabilities make the cameras prone to getting hijacked and turned into drones in a zombie digital army to disable websites of companies – or conduct large-scale attacks on the internet itself, Cybereason said.
Hundreds of thousands of the vulnerable cameras appear to be in use around the world, and they aren’t designed to receive software updates and can’t be patched, the principle security researcher for Cybereason, Amit Serper, said in a note.
“The only way to guarantee that an affected camera is safe from these exploits is to throw it out. Seriously,” Serper wrote.
In a telephone interview, Serper said he and a colleague, Yoav Orot, who works out of Tel Aviv, discovered the vulnerabilities two years ago but did not pursue the matter and are releasing their findings only now because recent events have shown that everyday items in the “internet of things” can be harnessed together in robotic networks, or botnets, to conduct crippling attacks.
Tens of thousands of videocams, nanny cams and other devices formed a botnet Oct. 21 that attacked part of the internet’s backbone, taking swaths offline along the Atlantic Seaboard and affecting such companies as Airbnb, HBO, Netflix, PayPal, Reddit, Spotify, Twitter and Yelp.
Such botnet armies have been a source of increasing concern since underground hackers Sept. 30 released coding for malicious software dubbed Mirai, Japanese for “the future,” which vastly simplifies creating botnets.
These cameras are really cheap.
Amit Serper, principle security researcher at Cybereason
The ease of hacking into security cameras and the availability of the malware leaves “every Joe Schmoe around the world” with such a device vulnerable, Serper said. “These cameras are really cheap.”
The cameras are widely available in electronics stores and on Amazon in dozens of brands, the researchers said.
“Most of the brands are unknown,” Orot said, adding that multiple manufacturers in China make different parts of the cameras. “We didn’t do extensive research on the supply chain.”
Amazon, the online retailer, did not immediately respond to a request for comment.
Cybereason goes into detail about the two vulnerabilities it found on its site at www.cybereason.com and created a widget so that owners could enter their unique camera IDs and answer a few other questions to determine if their cameras are vulnerable. One of the vulnerabilities makes it easy for an intruder to obtain the camera’s password.
Competition has driven down the cost of the cameras, and there’s little effort to keep them from being hacked.
“It’s usually because the people who write the code are either not proficient enough at programming or are not professional enough,” Serper said. “They make really, really silly mistakes. You grab your head and (wonder), ‘Oh my God, what were they thinking?’”
A lot of companies thinks it’s an innocent device (but) it opens the ability to attack, to get into the network, to get a foothold inside the organizational network.
Yoav Orot, Windows Endpoint team leader at Cybereason
Owners of internet-connected security cameras should think of them as unwitting back doors into their own computer networks, Orot said.
“A lot of companies think it’s an innocent device (but) it opens the ability to attack, to get into the network, to get a foothold inside the organizational network,” Orot said.
If criminals sought to take over – or “enslave,” in hacker lingo – a single internet-connected camera, it could be used in diabolical ways.
As a criminal looking to distance him or herself from a crime, “I can break into your camera in your house, route all of my traffic through your place of residence and then it looks like . . . you are the criminal, that you did it,” Serper said.