Thousands of webcams vulnerable to attack

Exposed connections could lead to loss of privacy or information theft

More than 15,000 webcams in homes and offices can be accessed by members of the public and manipulated over just an internet connection.

Many security and conferencing cameras can be accessed remotely by anyone if users implement no additional security measures post-installation, according to findings by Avishai Efrat, a white hat hacker with Wizcase. In other cases, these cameras are set with predictable passwords or  default user credentials.

Webcams susceptible to this include AXIS net cameras, the Cisco Linkys webcam (now owned by Belkin), and WebCamXP 5 software, among many others in countries all across the world.

Many may assume that only devices like routers can be exposed in this way, given they serve as gateways that connect other devices with each other. Webcams, however, can also be accessed remotely in a similar way via peer-to-peer (P2P) networking or port forwarding. It's through these mechanisms that Internet of Things (IoT) devices, too, can be hacked.

"Is it possible that the devices are intentionally broadcasting? We can only determine this for on certain webcams that we're able to access the admin panel for," said Wizcase's web security expert Chase Williams.

"They're not necessarily broadcasting, but some may be open in order to function properly with apps and GUIs (interfaces) for the users, for example.

"Also included with some measure of frequency are specifically designated security cameras at places of business, both open and closed to the public which begs the question, just how much privacy can we realistically expect, even inside an allegedly secure building."

While it's difficult to know who owns such devices from technical information alone, cyber criminals may be able to ascertain such details using context from videos. Potential attackers can also glean user information and estimate the geolocation of the device in cases where they have admin access.

With the information made available by the unsecure webcams, Wizcase suggests cyber criminals can change settings and admin credentials, obtain bank and payment information, or even give hostile government agencies a glimpse into people's private lives.

The vulnerabilities can be explained by the fact that manufacturers aim to make the installation process as seamless and user-friendly as possible. This, however, can sometimes result in open ports and no authentication mechanism being set-up.

In addition, many devices aren't put behind firewalls or virtual private networks (VPNs), which could otherwise offer a measure of protection.

"Standalone cams are notorious for not being secured properly," said Malwarebytes' lead malware intelligence analyst Chris Boyd.

"If you have a cheap IoT device in your home watching over your sleeping toddler, or a few handy cams serving as convenient CCTV when you head off to the shops, take heed. It may be that the price for accessing said device on your mobile or tablet is a total lack of security.

"Always read the manual and see what type of security the device is shipping with. It may well be that it has passwords and lockdown features galore, but they're all switched off by default. If the brand is obscure, you'll still almost certainly find someone, somewhere has already asked for help about it online."

Wizcase has suggested that whitelisting specific IP and Mac address to access the camera should filter those with authorised access, and prevent attackers from being able to infiltrate a user's network.

Adding password authentication, and configuring a home VPN network, too, can mean remotely connecting to the webcam is only possible within the VPN. UPnP should also be disabled if people are using P2P connections.

Featured Resources

Humility in AI: Building trustworthy and ethical AI systems

How humble AI can help safeguard your business

Download now

Future of video conferencing

Optimising video conferencing features to achieve business goals

Download now

Leadership compass: Privileged Access Management

Securing privileged accounts in a high-risk environment

Download now

Why you need to include the cloud in your disaster recovery plan

Preserving data for business success

Download now

Recommended

Your essential guide to internet security
Security

Your essential guide to internet security

23 Sep 2020
Canon employee data exposed in ransomware attack
ransomware

Canon employee data exposed in ransomware attack

1 Dec 2020
Hackers could trick scientists into making deadly toxins
hacking

Hackers could trick scientists into making deadly toxins

30 Nov 2020
What is AES encryption?
Advanced Encryption Standard (AES)

What is AES encryption?

30 Nov 2020

Most Popular

Huawei Mate 40 Pro 5G review: A tragically brilliant Mate
Mobile Phones

Huawei Mate 40 Pro 5G review: A tragically brilliant Mate

26 Nov 2020
What is phishing?
phishing

What is phishing?

25 Nov 2020
Microsoft Teams no longer works on Internet Explorer
Microsoft Office

Microsoft Teams no longer works on Internet Explorer

30 Nov 2020