Smart Camera Security
Modern homes are increasingly hosting connected devices, with many owners unaware that they are participating in the Internet of Things and the risks that come with it. While not necessarily building a smart home, many families now have connected TVs and media players, and increasingly are opting for connected cameras. Unfortunately these cameras are proving to be the greatest weak point in home networks, with recent research finding that 47 percent of vulnerable devices on home networks are in this category.
Now, it’s worth pointing out that these vulnerable devices are not your name brand smart cameras such as Ring and NetGear’s Arlo range, often costing hundreds of dollars. What we are dealing with are the plethora of cheap off brand IP cameras churned out by low end electronics manufacturers to make a quick buck. Many of these devices are cookie cutter knockoffs of one another built on hastily thrown together software to get a working product that is cheap to make, and easy for end users to set up.
We’re also not talking about targeted attacks. You’re not likely to have a black hat going to great lengths to hack into your specific network, but these days they don’t have to. Cyber criminals work on automation at scale, scanning for known vulnerabilities and open ports across the internet. Often these attacks are driven by botnets or worms which constantly look for new targets to infect. In 2017 the Persirai botnet was discovered to be targeting over 1000 models of IP cameras using based on the same code base. This allowed the botnet to use the same open port on every camera to access to internal cameras web interface and add it to the botnet.
In many cases the owners of these cameras aren’t even aware the camera has an open connection to the internet, which means there is very little chance these problems will get solved. In the case of Persirai, the botnet was using these devices to perform DDoS (Distributed Denial of Service) attacks to take down targeted web sites, often for ransom. But these same vulnerabilities are also leveraged by organised criminals to act as a doorway to access the far more juicy contents on peoples home networks.
Personal data such as login credentials, bank details, and personally identifying data are all harvested and used in identify theft, or simply on sold to other criminal ventures. This is where consumers have a very real interest in protecting their networks.
What To Do
While the most egregious issues are in cheap off brand devices, even name brand smart cameras need to be treated with caution. These devices can expose your most intimate details as they are literally recording the goings on around your home (depending on where they are installed).
There are, of course, inarguable benefits to clouds connected cameras; the value in being able to access video feeds from wherever you are, intelligent alerting of activities when you are out, capturing video events in the cloud to ensure they can be retrieved no matter what happens to the cameras, and the ability to easily share recordings with friends, security or law enforcement as required.
Generally speaking, devices from specialist name brand companies employ far better software design, and have a far better security focus. They do this simply because it’s good business. They are endeavouring to make a recognisable security brand, and attract a lot more scrutiny from media and security researchers alike. As such, it’s in their best interests to ensure they don’t have any embarrassing security gaffs.
But security is genuinely hard. It’s easy for seemingly minor mistakes to be overlooked and exploited to worm into a devices software and take advantage. Even here, you get what you pay for. Specialists camera makers like Ring, Canary, NetGear and Anker maintain their products via over the air updates, and issues can be quickly addressed when discovered. Cheap Off brand products, on the other hand, are likely to never get a software update, or even have the capability to do so.
So the first rule of connected camera security is to skip the cheap junk. It’s just not worth the risk, and they won’t last anyway. Go for a name brand platform that offers automatic updates and strong encryption.
The second rule is to employ a basic security premise to protect your home network. Whenever possible, connected devices should be set up on a seperate network to your main devices (your phones, tablets, computers and such). Any decent router will have a guest network feature, which creates a seperate wireless network that your untrusted devices can use to access the internet without getting any access to your other stuff.
In most cases, smart cameras will use their own cloud service to talk to your phone app, which means there is no direct connection with the camera once they are set up. This makes using a guest network ideal. It keeps them off your main network, but still enables full use of the cameras features. This way, if there is a vulnerability in the camera, they cannot be used to get access to anything important.
The third protection is a bit more niche, but increasingly is strongly recommended. Get yourself a network protection device that can keep an eye on your network for you, identify unusual or known bad behaviours, and allow you to lock things down. There are a dozen devices on the market today with varying capabilities and some require ongoing subscriptions. However, all you really need is something a Fingbox. It’s an affordable standalone device, very easy to set up and offers a variety of nice value added features for managing your network and internet connection.