In a city or company infrastructure, the IoT attack surface includes all possible security vulnerabilities of connected devices, applications, and networks.
At first sight, an IP camera may seem harmless from a security point of view. However, particularly when connected to an IoT network, it may become an attractive target for a cyber criminal for three main reasons.
First is about privacy: the hacker may be interested in acquiring and analyzing live images of people living or moving in a certain area to learn their habits and behaviors, or get personal sensitive information (faces, car license plates, etc.). Secondly, the violation may grant visibility on the infrastructure to which the camera is connected and pave the way to a network attack. Last but foremost, the breach may also lead to the exploitation of its computational power for crypto mining, or as a node of a command-and-control network called botnet.
During a routine security assessment on the IoT network of a customer, our cyber security team detected a newly installed device, specifically an IP camera. A research activity was run to assess if the camera could be considered secure enough for being used and exposed on a public network. The team discovered two zero-day vulnerabilities: as these software vulnerabilities are typically found by researchers or potential attackers before the vendor becomes aware of them, no patches are available for their resolution.
Discovering a zero-day vulnerability requires the adoption of an evil mindset and the expertise to ask the right questions: how many devices offer an attack surface? How deeply is the situation analyzed from the attacker’s perspective? To answer these questions as exhaustively as possible, our cyber security experts leverage a methodological process that is part of the company’s cyber security framework.
The analysis confirmed it was not secure to publicly expose the IP camera. The customer was given a detailed view of the risk the company was running. The first vulnerability would have allowed an unprivileged user to create a valid account to access all IP camera commands without being authorized. The second vulnerability was related to the passwords of the IP camera users. By reverse engineering the source code publicly available, it would have been possible to discover the salt used in the hash function which stores user passwords.
Two different solutions were suggested: remove the camera and replace it with a more secure product or install a firewall to limit the access to known IP addresses. The customer agreed to remove the IP camera to avoid any possible issue and restore the overall security level.