Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Privacy Technology

Someone Is Taking Over Insecure Cameras and Spying on Device Owners (bleepingcomputer.com) 57

As security webcams, security cameras, and pet and baby monitors become part of our lives, their underlying technology is increasingly receiving scrutiny from researchers. Many of these devices are woefully insecure, and an attacker could -- and in some cases, has -- take over these devices to perform internet scans, among other things. BleepingComputer's Catalin Cimpanu dives into the subject: In the last nine months, two security firms have published research on the matter. Both pieces of research detail how the camera vendor lets customers use a mobile app to control their device from remote locations and view its video stream. The mobile app requires the user to enter a device ID, and a password found on the device's box or the device itself. Under the hood, the mobile app connects to the vendor's backend cloud server, and this server establishes connections to each of the user's device in turn, based on the device ID and the last IP address the device has reported from.


This discussion has been archived. No new comments can be posted.

Someone Is Taking Over Insecure Cameras and Spying on Device Owners

Comments Filter:
  • by Anonymous Coward

    This indicates that it's a rare or relatively small occurrence, when in reality this is happening by thousands of people at any one moment. Stop buying terrible insecure public-facing IP cameras!

    • by AHuxley ( 892839 )
      Lets stop the few big search engines from displaying the needed search results to find any such networks.
      When nobody can find the open networks, then the wide open IoT networks are not going to be accessed.

      Nobody can design their own internet search engine to scan global networks.
      Even if some smart person could design the method to run their own search engine they could not buy the bandwidth needed.
      A person with the smarts and bandwidth would need a lot of time to collect such IoT data globally.
      N
    • I've installed Hikvision cameras in my warehouse. They are pretty neat cameras for the money, with h265 support and nice resolutions, saving you A LOT of data storage. But they are seriously unsecured. All of them are inside a VLAN that doesn't allow traffic to the internet or the rest of the network. Despite that, Hik-Connect works just fine through a VPN, so I don't know why you need this stuff uploading to the "Cloud".

      But despite all these simple things you can do to secure these security cameras, nobody

      • You'd think if you're going to spend 50k or more on security cameras that people would bother to secure them?

        Why? From the installer's point of view actually securing the cameras is a lot more work and raises the cost. Cost is the driving factor in the consumer's mind, and most consumers have no way to evaluate the security. So an installation that's actually secure costs much more than an installation that merely claims to be secure. A secure system also generates a lot more service calls. "Help! I lost m

      • by d0rp ( 888607 )

        so I don't know why you need this stuff uploading to the "Cloud".

        The only real reason I've been able to come up with for why you want to upload your home security video to "the cloud" would be to have an off-site backup so you have a way to look at the video and see who burned your house down. A reasonable solution to that would be to have it periodically encrypt the footage and upload it to some general "cloud" storage solution where only you have the key to unlock it. Why anyone would want to have a camera in their home watching them all the time being uploaded and con

    • Quite. It's closer to everyone.

  • Unsecured (Score:2, Informative)

    by Anonymous Coward

    Please use the right term. I know the other can mean it but..ugh

    • Seriously, this should not have been downvoted.

      That a request for precision in technical language is considered troll worthy on /. is about as sure a sign that we're gonna get that this place has well and fully jumped the shark.

    • This. Don't anthropomorphize cameras. They hate that.

  • We now can have hackers tapping all those cameras in schools!

  • by Snotnose ( 212196 ) on Friday June 22, 2018 @09:14AM (#56828168)
    30 years ago I was sysadmin for a network of maybe 20 Sun workstations. We got some new machines, naturally the boss got the first one. Found out about the mic and told the boss this might be a problem. He asked "why? It can be useful". I asked him to give me a minute, then call someone into his office and small talk for a minute. I went to my cube, logged into his machine, recorded him for a minute or so, then mailed him the audio file.

    Spent the next couple hours opening up these brand new workstations and clipping a wire.

    Why yes, I do have tape over my laptop camera. Why do you ask?
    • by mikael ( 484 )

      You could do that with SGI workstations as well. Login remotely, take a framegrab of the camera and record the microphone.

  • by forkfail ( 228161 ) on Friday June 22, 2018 @09:32AM (#56828286)

    ... in the previous story: Should facial recognition cameras be in schools? [slashdot.org]

  • Proper security is to drop traffic by default, white list what you need. You never truly know what your devices will try to do. As an example fitting to this article, I installed security cameras outside my home and linked them to a linux based PVR for the interface/recording. I noticed that my firewall was dropping tons of data from the IPs assigned to the cameras. A quick dump of the traffic uncovered all cameras trying to connect out to a pair of IPs hosted on amazonaws. I never asked or gave consent for
    • I buy them for their capabilities. I block them all automatically expecting them to be unsecured or calling home. That's the nature of things right now. Device makers are trying to make an easy plug and play device for customers while at the same time creating a device that's just completely unsecured. Because making a device difficult to use to normal people doesn't sell.
  • You mean putting an always on, always connected streaming camera in your home is a privacy and security issue?

    I just can't believe that.

  • This title feels to me like the time I heard that "The Nigerian Prince scam has been shut down". The? The? The? Does anyone actually believe that any of these things are due to one bad actor?
  • So does Scarlett Johansson have a baby monitor?

    Asking for a friend.

  • The cloud server cannot connect to the camera. The camera has to be permanently connected to the server because it is usually behind a home router. Unless it is a very old ip cam which only has a http based mjpeg stream.
  • but i seen this sort of thing happening so i bought a second router just for my four cams i use to monitor four different directions outside my home, none of them are connected to the internet because this second router does not have internet access it is a LAN only setup, not only does it keep the cameras off the internet those four cameras streaming live video are a bandwith hog so my internet is not being bogged down with straming video on the LAN side

Top Ten Things Overheard At The ANSI C Draft Committee Meetings: (10) Sorry, but that's too useful.

Working...