Among the many important aspects of Internet of things (IoT) security, live cameras are one of the most open to misuse. People have been video snooping, watching private cameras and doing other sketchy things around connected cameras for many years. But in recent months, the intensity and risk around video have risen.
Video has breached privacy, or even security, in recent months in three main ways. First, cyber criminals place hidden cameras in hotel rooms or home bedrooms. From there, they sell video clips or even live streams from those cameras online at scale.
Second, attackers digitally break into a company that provides security video services. From there they gain admin access to the companies’ servers. They can snoop on the live feeds of schools, hospitals and even cybersecurity companies using their products and services.
Third, threat actors exploit connected video cameras using insecure default configurations and other flaws.
It’s time to explore the potential for abuse (social engineering, blackmail, intelligence for sale and more). How can businesses protect themselves against this new wave of video attacks?
Today’s Thieves Making Money From IoT Security Breaches
Criminal gangs are stealing and selling private videos on a massive scale more and more. The stolen videos in this recent report number in the tens of thousands. The thieves sell them on the dark web at prices ranging from $3 to $8 per video, depending on how salacious the content. Like any other IoT security breach, attackers break into the video storage systems and exfiltrate the content. Or, the attackers take recordings from secretly hidden cameras in homes and hotel rooms.
Some criminals also sell usernames and passwords for live camera streams at discounted bulk rates. For example, 10 household and 10 hotel cameras might go for $23. Some of the stolen videos come from security and home cameras. Most of the videos referenced in this report came from China. However, like many other attack methods, the practice may spread globally.
Silicon Valley Breach Highlights Problems
A Silicon Valley security startup called Verkada was reportedly attacked by threat actors who compromised the security feeds of some 150,000 IoT security cameras, including those of prominent tech companies like Tesla and Cloudflare. They also gained access to video feeds from public agencies like police stations, hospitals, schools and prisons. The attackers in this case were a collective that calls itself Advanced Persistent Threat 69420. Their goal was to expose how common security feeds are and how easily they can be compromised, a spokesperson for the group said. They used a basic method for breaching Verkada’s systems: a username and password granting access to a ‘Super Admin’ account on the public internet. Once it was discovered, the company quickly addressed the security flaw.
Attackers can take advantage of baby monitors in the same way. IoT security cameras from at least two manufacturers were misconfigured, opening them up to external viewers. Several manufacturers poorly set up the Real-Time Streaming Protocol, enabling snoops to gain access without the need for authorization.
Is Video Really an IoT Security Threat?
Video is a known threat to privacy. But it’s also a threat to security. Attackers can use compromising or embarrassing private footage from stolen home videos for social engineering attacks, blackmail or to gain information useful in a later attack. Many videos reveal location and other facts.
In other words, whether attackers invade company or private cameras, it could still affect the safety of your enterprise. As is often the case with how attacks evolve, what started out as a source of bragging for script kiddies and wannabes turns into a serious business. With recent attacks, it’s very likely that an increasing number of threat actors are figuring out how to break into cameras and sell footage.
What to Do About the Video Threat
Take special pains when you purchase video products and services. Buy only from trusted vendors with strong IoT security features and policies. And use the security features of the products your organization does buy.
Lock down access wherever possible. For example, it’s far better to make sure honest users can access cameras only from the local network, rather than over the internet.
Add awareness about the risks of home and at-work video, and offer best practices for basic safety. This is even more helpful for employees who work from home full-time or part-time. These secure practices include buying from trusted vendors, using good password and secure networking practices, such as multi-factor authentication, and maintaining awareness about where to place cameras for privacy.
Another great tip for home or home-office video products is to turn off remote access you’re not using it. A camera connected over the internet is far less secure than one only used via the home network. Make sure the manufacturer offers frequent updates, and that you or the manufacturer configure settings to get those updates or notify the user about them.
Know Your End Points
Clarify to employees the fact that video camera security falls into the larger umbrella of IoT security. A home security or baby monitor camera is an IoT camera. That means it’s a computer connected to the internet, and should be treated as a potential security threat.
So much about recent video-based attacks are old. But much of it is new. One of the newest tactics, enabled by poor IoT security, is the theft of videos and the live capturing of video streams to be sold on the dark web at scale. The buyers of these videos and video stream access could be anyone — those seeking a thrill by invading privacy, or those seeking data to launch other kinds of attacks.