Thousands of webcams vulnerable to attack

Exposed connections could lead to loss of privacy or information theft

More than 15,000 webcams in homes and offices can be accessed by members of the public and manipulated over just an internet connection.

Many security and conferencing cameras can be accessed remotely by anyone if users implement no additional security measures post-installation, according to findings by Avishai Efrat, a white hat hacker with Wizcase. In other cases, these cameras are set with predictable passwords or  default user credentials.

Advertisement - Article continues below

Webcams susceptible to this include AXIS net cameras, the Cisco Linkys webcam (now owned by Belkin), and WebCamXP 5 software, among many others in countries all across the world.

Many may assume that only devices like routers can be exposed in this way, given they serve as gateways that connect other devices with each other. Webcams, however, can also be accessed remotely in a similar way via peer-to-peer (P2P) networking or port forwarding. It's through these mechanisms that Internet of Things (IoT) devices, too, can be hacked.

"Is it possible that the devices are intentionally broadcasting? We can only determine this for on certain webcams that we're able to access the admin panel for," said Wizcase's web security expert Chase Williams.

"They're not necessarily broadcasting, but some may be open in order to function properly with apps and GUIs (interfaces) for the users, for example.

Advertisement
Advertisement - Article continues below

"Also included with some measure of frequency are specifically designated security cameras at places of business, both open and closed to the public which begs the question, just how much privacy can we realistically expect, even inside an allegedly secure building."

Advertisement - Article continues below

While it's difficult to know who owns such devices from technical information alone, cyber criminals may be able to ascertain such details using context from videos. Potential attackers can also glean user information and estimate the geolocation of the device in cases where they have admin access.

With the information made available by the unsecure webcams, Wizcase suggests cyber criminals can change settings and admin credentials, obtain bank and payment information, or even give hostile government agencies a glimpse into people's private lives.

The vulnerabilities can be explained by the fact that manufacturers aim to make the installation process as seamless and user-friendly as possible. This, however, can sometimes result in open ports and no authentication mechanism being set-up.

In addition, many devices aren't put behind firewalls or virtual private networks (VPNs), which could otherwise offer a measure of protection.

"Standalone cams are notorious for not being secured properly," said Malwarebytes' lead malware intelligence analyst Chris Boyd.

Advertisement - Article continues below

"If you have a cheap IoT device in your home watching over your sleeping toddler, or a few handy cams serving as convenient CCTV when you head off to the shops, take heed. It may be that the price for accessing said device on your mobile or tablet is a total lack of security.

"Always read the manual and see what type of security the device is shipping with. It may well be that it has passwords and lockdown features galore, but they're all switched off by default. If the brand is obscure, you'll still almost certainly find someone, somewhere has already asked for help about it online."

Wizcase has suggested that whitelisting specific IP and Mac address to access the camera should filter those with authorised access, and prevent attackers from being able to infiltrate a user's network.

Adding password authentication, and configuring a home VPN network, too, can mean remotely connecting to the webcam is only possible within the VPN. UPnP should also be disabled if people are using P2P connections.

Featured Resources

Preparing for long-term remote working after COVID-19

Learn how to safely and securely enable your remote workforce

Download now

Cloud vs on-premise storage: What’s right for you?

Key considerations driving document storage decisions for businesses

Download now

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Transforming productivity

Solutions that facilitate work at full speed

Download now
Advertisement
Advertisement

Recommended

Visit/security/ransomware/356292/university-of-california-gets-fleeced-by-hackers-for-114-million
ransomware

University of California gets fleeced by hackers for $1.14 million

30 Jun 2020
Visit/security/cyber-security/356289/australia-announces-135b-investment-in-cybersecurity
cyber security

Australia announces $1.35 billion investment in cyber security

30 Jun 2020
Visit/cloud/cloud-security/356288/csa-and-issa-form-cybersecurity-partnership
cloud security

CSA and ISSA form cyber security partnership

30 Jun 2020
Visit/security/ethical-hacking/356252/poorly-secured-banking-apps-lead-to-cyber-threats
ethical hacking

Mobile banking apps are exposing user data to attackers

26 Jun 2020

Most Popular

Visit/laptops/29190/how-to-find-ram-speed-size-and-type
Laptops

How to find RAM speed, size and type

24 Jun 2020
Visit/cloud/356260/the-road-to-recovery
Sponsored

The road to recovery

30 Jun 2020
Visit/business-strategy/it-infrastructure/356258/the-growing-case-for-it-flexibility
Sponsored

The growing case for IT flexibility

30 Jun 2020