Research has emerged from Florida Institute of Technology showing how easy it is to gain backdoors to a smart camera connected to a doorbell and gain remote access to your private life.
Criminal elements seeking to invade vulnerable sensors, networks and software in the Internet of Things (IoT) is not unusual.
Terrence O’Connor, Associate Professor of Computer Science at FIT and his graduate student, Daniel Campos, found vulnerabilities in seven models of smart cameras and doorbells made by Geeni and its parent company, Merkury Innovations.
‘The vulnerabilities could enable a remote attacker gain privileged access to the devices, listen to all audio and video recorded on the devices, and ultimately use the devices to covertly spy on their users,’ O’Connor wrote on the ReFirm blog entry titled ‘The Case Against Smart Devices’.
Their research was also featured in a column by The Washington Post.
The vulnerable security measures enable the attacker log in and gain access to camera feeds, files and recordings, according to FIT’s research. Most times, all an attackers needs to do is figure out the default password of the device.
On a device they tested, an attacker could hack it and there would be no trace he was ever there.
They found significant weaknesses in four security cameras and three doorbells which had wireless cameras connected to them— devices which are not hard to find at popular retailers such as Amazon and Walmart.
The researchers found that the attacker could control audio and video from the devices, delete files and download them.
The FIT researchers made use of the Binwalk Enterprise Internet of Things (IoT) devices security tool from ReFirm Labs ‘to reverse engineer’ the firmware and identify the vulnerabilities.
ReFirm, with its base in Maryland automates the process of searching for security vulnerabilities in IoT devices. The company gave the FIT researchers free access to their security pool as part of the company’s IoT Cybersecurity Education Program.
The FIT researchers reported the camera and doorbell vulnerabilities to MITRE— a nonprofit organization that manages federally funded research—, as well as The Vendor in November 2020. It was an indication on what Campos’ graduate thesis would be.
‘We regularly update our app and devices for security and performance updates’, said Sol Hedaya, spokesman for Merkury in an email. ‘We appreciate and often work with security researchers, such as the disclosure that was recently released’.
‘We’ve encountered no exploits of these vulnerabilities’, added Hedaya. ‘Most of the vulnerabilities noted were based on a single old model that has been discontinued for some time and represents less than 0.1% of our active devices.’
Hedaya stated that solutions for a vulnerability in other models have been completed, and updated firmware would be released later this month.
‘Over the weekend, we were able to start pushing updated security updates to supported devices which removes the vulnerabilities noted in the report’, Hedaya wrote on Monday. ‘The updates pushed already cover over 88%+ of active cameras and we’re continuing to roll out additional fixes.
However, it isn’t just Merkury’s devices that have issues.
‘There are several companies that have had similar problems’, said O’Connor.
He added that the industry doesn’t always notify customers of insecure or discontinued devices, and that homeowners should cease the use of the devices if the companies won’t fix the weaknesses.
‘If they’re not going to apply a security patch to that device… I would not use it, because it’s just too easy at a novice level for an attacker to get into that device and get access to people’s personal moments’, O’Connor said.
In a blog post, the CEO of ReFirm Labs said that IoT devices should have cybersecurity certification labels.
A lot of other IoT home devices like locks and digital voice assistance are easily hackable as well. The researchers put the blame on lousy coding practices, small margins that restrict software development and lax federal enforcement.
The U.S. Department of Commerce’s National Institute of Standards and Technology supervises security issues on smart devices, but does this by setting standards in the industry, rather than by strict enforcement.
However, a law passed will pressure companies to provide more security on smart devices and cameras that the government uses.
‘What we try to do is illustrate to consumer how vulnerable they are’, O’Connor said.
By Marvellous Iwendi.
Source: Florida today