Unsecured security cameras lead to privacy erosion

The results of a recent analysis of some 6,000 open security cameras across the United States has shown that 15 percent of them are located in users’ private homes.

Open cameras are those whose feeds are open to anyone because they are protected with a widely known default password, or not password-protected at all.

While we expect feeds of cameras in public places like streets, shops, libraries and so on to be accessible to a certain number of strangers, most of us want feeds of or recordings by our home cameras to be for our eyes only.

“Open security cameras in homes is a terrifying thing, particularly considering they might be hidden in baby monitors, webcams, or high-tech recording gadgets,” home security solutions company Protection1 pointed out.

And while businesses and organizations with open security cameras in operation might consider it as a theft deterrent, they should also be aware that these open feeds can be exploited by thieves to perform reconnaissance of future targets.

Unknown security issues pop up all the time

Another example of a widely unknown danger regarding security cameras comes from a reddit user who bought a Netgear Arlo home security camera set, set it up, used it for a few days, and then returned it to the store.

“I never gave it another thought…until today. I got a random email alerting me that the camera had detected motion…but I don’t have any cameras. So I logged into my online account and I can see the new owner, their house, and everything they’re doing,” the user discovered. “Netgear obviously doesn’t have a system in place to prevent cameras on multiple accounts.”

After contacting Netgear support, the user discovered that the company is aware of this issue and that they plan on implementing a fix that would prevent cameras being associated with multiple accounts, and would force a hard reset on the cameras if they were previously registered in the system.

“Please know that Netgear has previously informed our resellers that retailers are not to resell cameras that have been returned, so the Arlo camera system in this instance was resold without our authorization,” a Netgear rappresentative commented in the same thread.

“When setting up a previously owned camera it is advised that all Arlo cameras be reset from the original base station, which will clear connection with any previously existing account. The configuration for the cameras need to be cleared as the settings may contain the associated account information of the previous owner.”

The company has apparently also tested for a scenario in which randomized serial numbers would be used to gain access to an Arlo camera.

“From the testing we have conducted, Netgear has not seen a possible scenario where a random serial number plug-in would provide unauthorized access to a video stream,” the representative noted.

He (or she) assured that the company has the security of its products tested by independent analysts, and is running private bug bounty programs to fix vulnerabilities. They also value outside reporting about security concerns and incidents. “The security community’s efforts in creating a more secure world are appreciated,” the rep concluded.

The problem with IoT security

“What we’re seeing here shouldn’t surprise anyone,” says Geoff Webb, VP, Solution Strategy at Micro Focus. “The IoT – and a desire to build products that are ‘IoT aware’ will feed a proliferation in smart devices – many of which will capture information and feed it back to some central service.”

“In the case of security cameras, you have a device that is designed to capture and transmit data. What happens is that we put these smart devices in place, and rarely think about keeping them secure – so the passwords don’t get changed, which leaves them vulnerable to being hijacked,” he noted.

“Right now the numbers are relatively small because we’re talking about a single class of device. This is a problem that is going to become far more significant, however. As more and more devices are deployed, the risk that these devices are not adequately secured increases, and the impact of that lack of security will reach further and further into our lives. In addition, the volume of unsecured information, gathered from more and more open devices, will offer significant potential for mining that could further erode our privacy.”

The security of “everyday tech” – as that of computer systems – depends on all stakeholders. Users should demand secure products, manufacturers should want to (and find it more lucrative) to ship secure products, and the security community should help the latter do that.