The Internet of Things is here. And with it are exciting possibilities, cost savings and efficiencies. But there’s a dark side to this bright new world, and it can be summed up in what we call Hypponen’s Law: If it’s smart, it’s vulnerable.
F-Secure and companies like us are discovering vulnerabilities in internet-connected “things” all the time. And Hypponen’s Law was proved yet again recently with the discovery of multiple vulnerabilities within two IP security cameras made by Chinese manufacturer Foscam. As detailed in our new report, F-Secure has identified 18 different vulnerabilities in the cameras that, if exploited, allow for an attacker to take control of the camera and view and download the video feed.
This is nothing new – we’ve all heard stories about hacker voyeurs spying on unsuspecting victims. But what shouldn’t be forgotten is that this device is not just a camera, it’s also a server. A vulnerable server that gives an attacker a foothold into the rest of the network, as F-Secure’s Janne Kauhanen explains in this video.
If this device happens to be in a corporate network and an attacker gains access to the network, the attacker could infect it with malware that would grant the attacker access to the rest of the network and its resources.
Networks in flux
The network perimeter is dissolving, and has been for years. With cloudification, consumerization, and a mobile work force, devices, assets and data that used to be inside are now outside, and what was out is now in. The Internet of Things further erases this network perimeter, with smart “things” extending the network far beyond workstations, laptops, smartphones or tablets.
Kauhanen put it this way: “IoT brings more devices into your networks that you don’t think of as network devices. This leads to a shadow IT situation where companies are not aware of all the devices in their networks. And if you don’t know about something, you can’t protect it.”
Harry Sintonen, our security consultant who found the vulnerabilities, says he’s never seen any device quite so poorly designed. “These vulnerabilities are as bad as it gets,” he said. “They allow an attacker to pretty much do whatever he wants. An attacker can exploit them one by one, or mix and match to get greater degrees of privilege inside the device and the network.”
Many of the vulnerabilities that plague this camera are about neglect. Neglecting to make default passwords random, neglecting to lock out users who attempt too…