Thousands of webcams vulnerable to attack

Exposed connections could lead to loss of privacy or information theft

More than 15,000 webcams in homes and offices can be accessed by members of the public and manipulated over just an internet connection.

Many security and conferencing cameras can be accessed remotely by anyone if users implement no additional security measures post-installation, according to findings by Avishai Efrat, a white hat hacker with Wizcase. In other cases, these cameras are set with predictable passwords or  default user credentials.

Webcams susceptible to this include AXIS net cameras, the Cisco Linkys webcam (now owned by Belkin), and WebCamXP 5 software, among many others in countries all across the world.

Many may assume that only devices like routers can be exposed in this way, given they serve as gateways that connect other devices with each other. Webcams, however, can also be accessed remotely in a similar way via peer-to-peer (P2P) networking or port forwarding. It's through these mechanisms that Internet of Things (IoT) devices, too, can be hacked.

"Is it possible that the devices are intentionally broadcasting? We can only determine this for on certain webcams that we're able to access the admin panel for," said Wizcase's web security expert Chase Williams.

"They're not necessarily broadcasting, but some may be open in order to function properly with apps and GUIs (interfaces) for the users, for example.

"Also included with some measure of frequency are specifically designated security cameras at places of business, both open and closed to the public which begs the question, just how much privacy can we realistically expect, even inside an allegedly secure building."

While it's difficult to know who owns such devices from technical information alone, cyber criminals may be able to ascertain such details using context from videos. Potential attackers can also glean user information and estimate the geolocation of the device in cases where they have admin access.

With the information made available by the unsecure webcams, Wizcase suggests cyber criminals can change settings and admin credentials, obtain bank and payment information, or even give hostile government agencies a glimpse into people's private lives.

The vulnerabilities can be explained by the fact that manufacturers aim to make the installation process as seamless and user-friendly as possible. This, however, can sometimes result in open ports and no authentication mechanism being set-up.

In addition, many devices aren't put behind firewalls or virtual private networks (VPNs), which could otherwise offer a measure of protection.

"Standalone cams are notorious for not being secured properly," said Malwarebytes' lead malware intelligence analyst Chris Boyd.

"If you have a cheap IoT device in your home watching over your sleeping toddler, or a few handy cams serving as convenient CCTV when you head off to the shops, take heed. It may be that the price for accessing said device on your mobile or tablet is a total lack of security.

"Always read the manual and see what type of security the device is shipping with. It may well be that it has passwords and lockdown features galore, but they're all switched off by default. If the brand is obscure, you'll still almost certainly find someone, somewhere has already asked for help about it online."

Wizcase has suggested that whitelisting specific IP and Mac address to access the camera should filter those with authorised access, and prevent attackers from being able to infiltrate a user's network.

Adding password authentication, and configuring a home VPN network, too, can mean remotely connecting to the webcam is only possible within the VPN. UPnP should also be disabled if people are using P2P connections.

Featured Resources

How to scale your organisation in the cloud

How to overcome common scaling challenges and choose the right scalable cloud service

Download now

The people factor: A critical ingredient for intelligent communications

How to improve communication within your business

Download now

Future of video conferencing

Optimising video conferencing features to achieve business goals

Download now

Improving cyber security for remote working

13 recommendations for security from any location

Download now

Recommended

Your essential guide to internet security
Security

Your essential guide to internet security

27 Jan 2021
AOL users are the target of a new phishing campaign
phishing

AOL users are the target of a new phishing campaign

1 Mar 2021
What is cloud-to-cloud backup?
cloud backup

What is cloud-to-cloud backup?

1 Mar 2021
Lazarus APT hacking group is targeting the defense industry
Security

Lazarus APT hacking group is targeting the defense industry

26 Feb 2021

Most Popular

How to connect one, two or more monitors to your laptop
Laptops

How to connect one, two or more monitors to your laptop

25 Feb 2021
How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

26 Feb 2021
Ransomware operators are exploiting VMware ESXi flaws
ransomware

Ransomware operators are exploiting VMware ESXi flaws

1 Mar 2021