Earlier this year, an enterprise security camera system maker suffered a data breach. The incident, which involved the compromise of a Jenkins server, enabled a group of attackers to bypass the company’s authorization system, including its two-factor authentication processes. Those responsible for the compromise then abused their access to release the photos and videos of approximately 150,000 Internet of Things (IoT) cameras made by the company, affecting carmakers, jails, schools, hospitals, a security firm and an untold number of other customers in the process.
The attackers also stole a list of client account admin names and email addresses, a list of sales orders and a tool that allowed the attacker to run shell commands on some customer cameras.
Other IoT Security Incidents Involving Smart Cameras
The incident described above wasn’t the first time where malicious actors preyed on IoT cameras. In October 2020, for instance, WeLiveSecurity shared the news of a threat actor collective having breached more than 50,000 home cameras. The attackers went on to steal the cameras’ footage of people living in Singapore, Thailand, South Korea and Canada. They then uploaded the videos on adult websites and shared them with their members for a price. They even went so far as to sell access for the cameras to ‘VIP members’.
In December 2020, dozens of people sued another smart camera maker over “horrific” invasions of privacy that show a weak point in IoT security. The lawsuit alleged that the cameras came with lax security measures, allowing remote actors to take control of the devices. They further claimed the attackers misused the cameras to harass over 30 people in 15 families. The plaintiffs alleged that the attackers screamed obscenities, demanded ransoms and even threatened murder in some cases.
How Organizations Can Boost IoT Security on Their Cameras
Organizations can continue to implement several best practices as a means of avoiding security incidents such as those discussed above. For example, they’ll want to make sure that they’re maintaining an inventory of all the IoT cameras and other smart devices deployed in their environments. Doing this will help them preserve their visibility over all of their IoT devices. That makes it easier to apply more defensive measures without having to worry about having missed a forgotten asset. It will also help them to learn more about their smart products, such as the assets with which they might be paired. (IoT cameras, for example, might be connected to the wireless network. However, there’s also the chance that they might be paired with an employee’s phone.)
Next, change the default password on any IoT devices in the environment(s). Many IoT passwords are easily guessable or the same across all instances of that same device. This can make it easy for attackers to compromise a device instance that they find running in a corporate network. That’s why it’s important to change the password on an IoT device. Consider using something unique like three random words in a row.
Behavior-Based Anomaly Detection
Finally, organizations need to have some means of detecting potential smart device breaches before they become IoT security incidents. One of the ways they can do that is by using the power of behavior-based anomaly detection. This creates a baseline of normal behavior in and around each device and flags any changes.
With the addition of regular device profile updates, security teams could use any anomaly alerts to hone in on an affected IoT device. They could then disable the device or take other action to shut down a potential attack chain.
Don’t Forget About Procurement
Looking ahead, organizations need to be careful with their security for IoT devices when they bring new ones into their environments. That’s because the procurement process is fraught with potential threats. In the context of health care, the European Union Agency for Cybersecurity found five primary threat sources related to smart procurement. These are as follows:
- Natural phenomena such as fires and floods can damage devices and thereby undermine related businesses.
- Organizations might decide to use a third-party cloud service with their IoT devices. If they do, they need to account for the prospect of a supply chain failure. An outage could prevent those IoT devices from talking with one another, as an example.
- The events of 2020 gave new meaning to bring your own device by shifting many employees to working from home. Some employees connected personal IoT devices to the corporate network in the months that followed. But without proper IoT security oversight, those employees could commit human errors. These leave their employer exposed to malware outbreaks or data breaches, among other threats.
- Malicious actions can take on various forms. What if the communication channels between IoT devices and their servers aren’t secured? Threat actors can use those weaknesses to conduct man-in-the-middle attacks and tamper with the information being transmitted.
- Last but not least, a lack of security measures can lead to system failure. This is even more likely if they don’t have a process for updating firmware in place. Digital attackers can abuse those shortcomings to plant a backdoor and access critical information.
A Risk-Based Approach
In response to those IoT security threats, organizations should consider creating what the National Institute of Standards and Technology calls “a risk-based approach to procurement.” This plan should include working with legal, sourcing and subject matter experts from IT, security, engineering and operations to develop procurement processes. They can also work together on including relevant security standards into potential contracts. If vendors don’t meet those standards, organizations can then exclude their devices.
IoT Security as a Life Cycle
Organizations need to consider the procurement best practices discussed above if they want to defend their IoT devices. This highlights the fact that IoT security is a life cycle. From procurement to retirement, organizations need to monitor the security of their IoT cameras. Keeping track of smart devices is an important part of a comprehensive security program.
David Bisson is an information security journalist and security news junkie. He is the Senior Content Manager at Bora Design, an IT security marketing agency...