Among the many important aspects of Internet of things (IoT) security, live cameras are one of the most open to misuse. People have been video snooping, watching private cameras and doing other sketchy things around connected cameras for many years. But in recent months, the intensity and risk around video have risen.

Video has breached privacy, or even security, in recent months in three main ways. First, cyber criminals place hidden cameras in hotel rooms or home bedrooms. From there, they sell video clips or even live streams from those cameras online at scale.

Second, attackers digitally break into a company that provides security video services. From there they gain admin access to the companies’ servers. They can snoop on the live feeds of schools, hospitals and even cybersecurity companies using their products and services.

Third, threat actors exploit connected video cameras using insecure default configurations and other flaws.

It’s time to explore the potential for abuse (social engineering, blackmail, intelligence for sale and more). How can businesses protect themselves against this new wave of video attacks?

Today’s Thieves Making Money From IoT Security Breaches

Criminal gangs are stealing and selling private videos on a massive scale more and more. The stolen videos in this recent report number in the tens of thousands. The thieves sell them on the dark web at prices ranging from $3 to $8 per video, depending on how salacious the content. Like any other IoT security breach, attackers break into the video storage systems and exfiltrate the content. Or, the attackers take recordings from secretly hidden cameras in homes and hotel rooms.

Some criminals also sell usernames and passwords for live camera streams at discounted bulk rates. For example, 10 household and 10 hotel cameras might go for $23. Some of the stolen videos come from security and home cameras. Most of the videos referenced in this report came from China. However, like many other attack methods, the practice may spread globally.

Silicon Valley Breach Highlights Problems

A Silicon Valley security startup called Verkada was reportedly attacked by threat actors who compromised the security feeds of some 150,000 IoT security cameras, including those of prominent tech companies like Tesla and Cloudflare. They also gained access to video feeds from public agencies like police stations, hospitals, schools and prisons. The attackers in this case were a collective that calls itself Advanced Persistent Threat 69420. Their goal was to expose how common security feeds are and how easily they can be compromised, a spokesperson for the group said. They used a basic method for breaching Verkada’s systems: a username and password granting access to a ‘Super Admin’ account on the public internet. Once it was discovered, the company quickly addressed the security flaw.

Attackers can take advantage of baby monitors in the same way. IoT security cameras from at least two manufacturers were misconfigured, opening them up to external viewers. Several manufacturers poorly set up the Real-Time Streaming Protocol, enabling snoops to gain access without the need for authorization.

Is Video Really an IoT Security Threat?

Video is a known threat to privacy. But it’s also a threat to security. Attackers can use compromising or embarrassing private footage from stolen home videos for social engineering attacks, blackmail or to gain information useful in a later attack. Many videos reveal location and other facts.

In other words, whether attackers invade company or private cameras, it could still affect the safety of your enterprise. As is often the case with how attacks evolve, what started out as a source of bragging for script kiddies and wannabes turns into a serious business. With recent attacks, it’s very likely that an increasing number of threat actors are figuring out how to break into cameras and sell footage.

What to Do About the Video Threat

Take special pains when you purchase video products and services. Buy only from trusted vendors with strong IoT security features and policies. And use the security features of the products your organization does buy.

Lock down access wherever possible. For example, it’s far better to make sure honest users can access cameras only from the local network, rather than over the internet.

Add awareness about the risks of home and at-work video, and offer best practices for basic safety. This is even more helpful for employees who work from home full-time or part-time. These secure practices include buying from trusted vendors, using good password and secure networking practices, such as multi-factor authentication, and maintaining awareness about where to place cameras for privacy.

Another great tip for home or home-office video products is to turn off remote access you’re not using it. A camera connected over the internet is far less secure than one only used via the home network. Make sure the manufacturer offers frequent updates, and that you or the manufacturer configure settings to get those updates or notify the user about them.

Know Your End Points

Clarify to employees the fact that video camera security falls into the larger umbrella of IoT security. A home security or baby monitor camera is an IoT camera. That means it’s a computer connected to the internet, and should be treated as a potential security threat.

So much about recent video-based attacks are old. But much of it is new. One of the newest tactics, enabled by poor IoT security, is the theft of videos and the live capturing of video streams to be sold on the dark web at scale. The buyers of these videos and video stream access could be anyone — those seeking a thrill by invading privacy, or those seeking data to launch other kinds of attacks.

More from Mobile Security

Juice jacking: Is it a real issue or media hype?

4 min read - You get off a flight and realize your phone is almost out of battery, which will make getting an Uber at your destination a bit challenging. Then you see it — a public charging station at the next gate like a pot of gold at the end of the rainbow. As you run rom-com style to the USB port, you may briefly wonder if it’s actually safe from a cybersecurity perspective to plug in your phone. The answer is technically…

Third-party app stores could be a red flag for iOS security

4 min read - Even Apple can’t escape change forever. The famously restrictive company will allow third-party app stores for iOS devices, along with allowing users to “sideload” software directly. Spurring the move is the European Union’s (EU) Digital Markets Act (DMA), which looks to ensure open markets by reducing the ability of digital “gatekeepers” to restrict content on devices. While this is good news for app creators and end-users, there is a potential red flag: security. Here’s what the compliance-driven change means for…

A view into Web(View) attacks in Android

9 min read - James Kilner contributed to the technical editing of this blog. Nethanella Messer, Segev Fogel, Or Ben Nun and Liran Tiebloom contributed to the blog. Although in the PC realm it is common to see financial malware used in web attacks to commit fraud, in Android-based financial malware this is a new trend. Traditionally, financial malware in Android uses overlay techniques to steal victims’ credentials. In 2022, IBM Security Trusteer researchers discovered a new trend in financial mobile malware that targets…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today