The Internet of (insecure) Things strikes again, according to a new report by independent testing agency AV-TEST.org, who have been taking a long, hard look at the security of IP cameras, designed to help home owners keep a watchful eye over their property.
As I see it, you buy a security camera to secure yourself.
You don’t, imagine, install an IP surveillance camera to introduce new security risks.
And yet, AV-TEST.org’s most recent research has found that less than half of the devices they tested can be considered safe against attacks.
Researcher Olaf Pursche discovered that IP cameras from some well known manufacturers were considerably weaker at securing stores images and videos, and either failed to encrypt communications or used weak encryption that could be cracked by a determined hacker.
Of the eight IP cameras tested, the Netgear Arlo, Logitech Circle and Myfox security camera were rated highest in terms of security, with the D-Link DCS-2132L and Gigaset Camera faring worst.
As AV-TEST.org’s research explains, when a connected camera transmits or saves Wi-Fi passwords in plain text, it “opens up a floodgate into the private sphere of users, enabling unauthorised access via all devices, including PCs, smartphones and tablets.”
Worse still, it may not just be your home network which is put at risk by poorly-secured IoT devices. As we saw last October, hundreds of thousands of poorly-protected IP cameras were hijacked by the Mirai botnet and launched a colossal DDoS (distributed denial-of-service) attack that successfully knocked major internet services – including Twitter, PayPal and Spotify – offline.
It’s not as though it’s difficult to find poorly secured IP cameras. Search engines like Shodan and websites like Insecam have made it child’s play to discover unsecured devices, or even watch images captured by the cameras in real-time.
That’s why it’s so important that manufacturers of IP cameras and other IoT devices do a much better job at securing them from attacks, and make it harder – if not impossible – for consumers to connect them to the internet in an insecure way.
D-Link seems to be making regular appearances in the security headlines for all the wrong reasons lately, with the FTC recently filing a lawsuit against the company claiming it had continually “failed to take reasonable software testing and remediation measures to protect their routers and IP cameras against well-known and easily preventable software security flaws”.
And, as Hot for Security reported last year, some 400,000 devices were at risk of being attacked remotely because of a remote code execution firmware flaw in some of its products.