Light Dark
January 28, 2022 By David Bisson 4 min read
Risk Management
Security Services

Earlier this year, an enterprise security camera system maker suffered a data breach. The incident, which involved the compromise of a Jenkins server, enabled a group of attackers to bypass the company’s authorization system, including its two-factor authentication processes. Those responsible for the compromise then abused their access to release the photos and videos of approximately 150,000 Internet of Things (IoT) cameras made by the company, affecting carmakers, jails, schools, hospitals, a security firm and an untold number of other customers in the process.

The attackers also stole a list of client account admin names and email addresses, a list of sales orders and a tool that allowed the attacker to run shell commands on some customer cameras.

Other IoT security incidents involving smart cameras

The incident described above wasn’t the first time where malicious actors preyed on IoT cameras. In October 2020, for instance, WeLiveSecurity shared the news of a threat actor collective having breached more than 50,000 home cameras. The attackers went on to steal the cameras’ footage of people living in Singapore, Thailand, South Korea and Canada. They then uploaded the videos on adult websites and shared them with their members for a price. They even went so far as to sell access for the cameras to ‘VIP members’.

In December 2020, dozens of people sued another smart camera maker over “horrific” invasions of privacy that show a weak point in IoT security. The lawsuit alleged that the cameras came with lax security measures, allowing remote actors to take control of the devices. They further claimed the attackers misused the cameras to harass over 30 people in 15 families. The plaintiffs alleged that the attackers screamed obscenities, demanded ransoms and even threatened murder in some cases.

How organizations can boost IoT security on their cameras

Organizations can continue to implement several best practices as a means of avoiding security incidents such as those discussed above. For example, they’ll want to make sure that they’re maintaining an inventory of all the IoT cameras and other smart devices deployed in their environments. Doing this will help them preserve their visibility over all of their IoT devices. That makes it easier to apply more defensive measures without having to worry about having missed a forgotten asset. It will also help them to learn more about their smart products, such as the assets with which they might be paired. (IoT cameras, for example, might be connected to the wireless network. However, there’s also the chance that they might be paired with an employee’s phone.)

Next, change the default password on any IoT devices in the environment(s). Many IoT passwords are easily guessable or the same across all instances of that same device. This can make it easy for attackers to compromise a device instance that they find running in a corporate network. That’s why it’s important to change the password on an IoT device. Consider using something unique like three random words in a row.

Behavior-based anomaly detection

Finally, organizations need to have some means of detecting potential smart device breaches before they become IoT security incidents. One of the ways they can do that is by using the power of behavior-based anomaly detection. This creates a baseline of normal behavior in and around each device and flags any changes.

With the addition of regular device profile updates, security teams could use any anomaly alerts to hone in on an affected IoT device. They could then disable the device or take other action to shut down a potential attack chain.

Don’t forget about procurement

Looking ahead, organizations need to be careful with their security for IoT devices when they bring new ones into their environments. That’s because the procurement process is fraught with potential threats. In the context of health care, the European Union Agency for Cybersecurity found five primary threat sources related to smart procurement. These are as follows:

  • Natural phenomena such as fires and floods can damage devices and thereby undermine related businesses.
  • Organizations might decide to use a third-party cloud service with their IoT devices. If they do, they need to account for the prospect of a supply chain failure. An outage could prevent those IoT devices from talking with one another, as an example.
  • The events of 2020 gave new meaning to bring your own device by shifting many employees to working from home. Some employees connected personal IoT devices to the corporate network in the months that followed. But without proper IoT security oversight, those employees could commit human errors. These leave their employer exposed to malware outbreaks or data breaches, among other threats.
  • Malicious actions can take on various forms. What if the communication channels between IoT devices and their servers aren’t secured? Threat actors can use those weaknesses to conduct man-in-the-middle attacks and tamper with the information being transmitted.
  • Last but not least, a lack of security measures can lead to system failure. This is even more likely if they don’t have a process for updating firmware in place. Digital attackers can abuse those shortcomings to plant a backdoor and access critical information.

A risk-based approach

In response to those IoT security threats, organizations should consider creating what the National Institute of Standards and Technology calls “a risk-based approach to procurement.” This plan should include working with legal, sourcing and subject matter experts from IT, security, engineering and operations to develop procurement processes. They can also work together on including relevant security standards into potential contracts. If vendors don’t meet those standards, organizations can then exclude their devices.

IoT security as a life cycle

Organizations need to consider the procurement best practices discussed above if they want to defend their IoT devices. This highlights the fact that IoT security is a life cycle. From procurement to retirement, organizations need to monitor the security of their IoT cameras. Keeping track of smart devices is an important part of a comprehensive security program.

 |  |  |  | 
David Bisson

More from Risk Management
April 17, 2024

What should Security Operations teams take away from the IBM X-Force 2024 Threat Intelligence Index?

3 min read - The IBM X-Force 2024 Threat Intelligence Index has been released. The headlines are in and among them are the fact that a global identity crisis is emerging. X-Force noted a 71% increase year-to-year in attacks using valid credentials.In this blog post, I’ll explore three cybersecurity recommendations from the Threat Intelligence Index, and define a checklist your Security Operations Center (SOC) should consider as you help your organization manage identity risk.The report identified six action items:Remove identity silosReduce the risk of…

April 16, 2024

Obtaining security clearance: Hurdles and requirements

3 min read - As security moves closer to the top of the operational priority list for private and public organizations, needing to obtain a security clearance for jobs is more commonplace. Security clearance is a prerequisite for a wide range of roles, especially those related to national security and defense.Obtaining that clearance, however, is far from simple. The process often involves scrutinizing one’s background, financial history and even personal character. Let’s briefly explore some of the hurdles, expectations and requirements of obtaining a…

April 11, 2024

Ransomware payouts hit all-time high, but that’s not the whole story

3 min read - Ransomware payments hit an all-time high of $1.1 billion in 2023, following a steep drop in total payouts in 2022. Some factors that may have contributed to the decline in 2022 were the Ukraine conflict, fewer victims paying ransoms and cyber group takedowns by legal authorities.In 2023, however, ransomware payouts came roaring back to set a new all-time record. During 2023, nefarious actors targeted high-profile institutions and critical infrastructure, including hospitals, schools and government agencies.Still, it’s not all roses for…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature