New technologies are constantly changing the way we live our lives, however, few have had the same effect on everyday consumers as what we refer to as ‘Internet of Things (IoT)’. IoT has provided users with innovation, comfort, luxury and ease of access among numerous other benefits. It allows for a range of consumer devices to be developed such as smart home appliances, smart TVs, smart cleaning robots, digital thermostats, smart fridges, etc. which all allow for remote monitoring and interaction by the end user.
IP-based cameras (or IP cameras) are an excellent example of how IoT has revolutionised our day-to-day lives. These devices can be installed anywhere and are easily accessible through a click of a button from the device of choice. As a result, this provides the user quick and easy access to monitor the premises in which the cameras are installed from anywhere in the world, as long as the user has Internet connectivity. In light of this innovative and convenient technology, IP cameras have seen a rise in popularity during the last decade. But what are some of the associated risks that typically go unnoticed?
While remote access to IP cameras from mobile phones or tablet devices is very convenient, misconfigurations or security vulnerabilities can introduce privacy risks. This can directly lead to a situation where any individual on the Internet is able to peek through the lens of the camera as if it were their own. Many free and publicly available tools exist that allow anyone to check for exposed IP cameras and other IoT devices - these include Shodan, Spyse, Inseccam and Binary Edge among many others.
According to open source intelligence research performed by our cyber security specialists (i.e. reconnaissance that leverages publicly available tools and databases on the Internet), in Malta alone there are around 5000 IP cameras which are accessible over the Internet. From these, our team identified at least around 50 cameras which are exposing live footage and snapshots from within homes, garages, rooftops, yards, offices and fields to name a few. Furthermore, hundreds have been identified to be configured with weak/default passwords or otherwise running outdated and vulnerable software.
In reality, accessing the feed of an IP camera only takes a couple of seconds using software such as a media player or otherwise web-based tools. The only information one would require is the URL of the streaming IP camera. These differ slightly depending on the camera model and the protocol in use. During our research our team identified that most IP cameras were exposing the feed to the Internet via the following URLs:
RTSP - Port 554 : rtsp://[username]:[password]@[IP address]:554/1
HTTP - Port 80: http:// [IP Address]/webcapture.jpg?command=snap&channel=[Channel Number]
With some basic awareness, anyone can implement a number of measures to prevent unauthorised access and misuse. These range from ensuring that the devices in question are using secure protocols (such as SRTP and HTTPS) to adopting secure password practices. To this end, we are providing a few best practices and recommendations for IP camera systems installed within organisations as well as smaller setups typically those found in a consumer context, such homes, and small retail outlets.
The following recommendations are provided in view of the smaller set-ups typically found in a household environment or in small offices and shops:
Change the default administrator password of the cameras and assign them a new complex password. Write it down somewhere securely, ideally in a password manager.
If the cameras are connected to a network video recorder (NVR), limit the number of users with administrative access to the NVR. Follow the same practice for each individual IP camera.
Be conscious of the default configuration of the IP camera setup. Ensure that you are not exposing the administrative web portal to the Internet via your router’s port forwarding. Turn on HTTPS for your web portal to ensure that the communication from your device to the camera is encrypted.
If you need to view the camera feed from outside your local network, be conscious of the fact that other people on the Internet can access this as well if configured insecurely. Ideally, IP cameras are never exposed to the Internet and a virtual private network (VPN) is used to access the cameras on the local network.
Some cameras allow for a live view without exposing the cameras within the local network. Instead, the cameras or NVR system upload the feed to the vendor’s cloud environment. While this is convenient and can reduce risks introduced by misconfigurations, one should be conscious of privacy implications.
Regularly update the firmware of the camera (and NVR). This ensures that any newly identified vulnerabilities are timely patched.
