More IoT insecurity: The surveillance camera that anyone can log into

Remember that web camera we wrote about recently that allowed the crooks to keep an eye on you while you were keeping an eye on them?

The device streamed its surveillance video over HTTP, leaving it wide open to eavesdropping.

As we pointed out satirically in a recent Chet Chat podcast:

The suits-both-sides security camera! […] At the same time that you’re keeping an eye on the crooks, the crooks can keep an eye on you, because it’s all open. What a fantastic idea for a security camera!

Guess what?

Here comes another fantastic idea for a security system… a hard-coded root password for the web interface!

CSO recently reported just such a programming disaster found during research by US company Risk Based Security (RBS), which looked into the firmware of a widespread brand of surveillance DVR.

DVR is short for Digital Video Recorder, which in this product range accepts connections from one or more video cameras, recording the separate inputs for security purposes, and allowing you to move and zoom the cameras remotely.

The affected products are managed, like so many Internet of Things devices, via a web interface.

If you’ve installed the DVR and its cameras in some remote location, like a warehouse out in the suburbs, or in the ceiling of the cricket pavilion, you may very well have linked the device to your home network by the simply expedient of connecting it to the internet.

In that case, you run the risk that anyone might connect to it, and try to guess your password.

In other words, you’d better choose a decent one.

Except that it doesn’t really matter what you choose, because the vendor helpfully programmed the device with a can’t-be-changed, visible-in-the-firmware root password.

So a crook can just login and change your password anyway.

Modesty forbids us from telling you what the hard-wired password is, but it consists of just six digits.

(To be fair, length and complexity are largely irrelevant for fixed passwords, because once someone knows it, everyone knows it, so you can just copy and paste it regardless of how long it is.)

Apparently, the vendor in this case sells its product for rebranding under many names, so we can’t give you a reliable list of the devices that might be affected.

But the RBS researchers used IoT “online device search engine” Shodan to look for devices that would probably accept the known password (probably because actually logging in to prove the point would be a legal minefield), and quickly came up with more than 36,000 hits.

WHAT TO DO?

Given the range of different brands that might be affected, it’s hard to give specific advice on how to find out if your device is vulnerable.

All we can suggest is trying your own surveillance DVR – not anyone else’s, OK? – to see if this particular password works. (We give in: it’s 519070.)

If it works, you’re in trouble; if not, you’re still not sure whether there’s a similar hole in your device, only with a different string as the password.

For that reason, until the IoT market matures and starts taking security seriously, we suggest that you keep these devices segregated on a subnetwork of their own, behind a firewall that only allows you to connect through if you login to a Virtual Private Network (VPN) first.

That way, only pre-authenticated remote users can get access to the network on which your IoT devices accept their connections.

That will restrict the number of computers that can get close enough to those IoT devices to have at them to probe for security weaknesses like hard-wired passwords.