Compromised cameras the thin end of the cybersecurity wedge

Stack 'em high, sell 'em cheap – music to the ears of the hacker.
25 August 2022

The botnets have eyes. Source: Shutterstock

An old vulnerability in Hikvision cameras is still being used by hacking groups, both private and state-organized. According to CYFIRMA, the affected devices are most common in China, followed by installations in the US, Vietnam, the UK, and Ukraine. Although a patch is readily available, many thousands of devices remain relatively easy to exploit. Hackers are actively selling leaked credentials on private and public forums, CYFIRMA said.

Hikvision is by no means the only camera manufacturer that produces susceptible products. Almost every camera vendor’s products present some potential exploit, making it incumbent on those using the technology to keep abreast of CVE notices and patches. In some instances, the exploits require physical access to the device or at least local network access already established. But any camera connected to a network has to be regarded as a security risk, given the number of known issues across hundreds of manufacturers’ devices.

Cameras are often the source of more extreme hyperbole than what normally accompanies news of compromised IoT devices, probably because they allow bad actors to literally see where they shouldn’t. However, the main reason for exploiting cameras is to coerce them into becoming part of larger botnets. Although each device is relatively low-power by today’s computing standards, taken at scale, the combined effect of several thousand (easily) compromised devices can be impressive. As conduits for DDoS attacks, traffic relays, or toeholds into larger networks, cameras and IoT devices are an attractive prize.

The problems affecting connected cameras are the same that bedevil all IoT devices. To keep production costs down, they are often based on small, system-on-chip boards that are cheap and that were never designed with anything but the most basic cybersecurity measures in mind. As consumers and businesses demand connectivity from every electronic device, there’s no corresponding willingness to pay more than is absolutely necessary in many cases.

Some IoT manufacturers also operate on a fire-and-forget basis, unlike, for instance, vendors of critical network infrastructure. Large companies like Cisco and HPE continue to produce and disseminate firmware patches to their hardware, sometimes long after official support periods have elapsed. In this, too, software manufacturers can be seen to do the same. Microsoft released a security patch for Windows XP as late as 2019, for instance, 18 years after the platform’s release.

But IoT device manufacturers, especially those servicing the lower end of the market, simply don’t have the resources or the inclination to keep pushing updates, even if they are still in business ten years hence. As anyone with Insteon devices installed knows, it’s possible that the vendor simply pulls the shutters down on business altogether. That can leave thousands of devices unsupported and, in some cases, transformed into attractive yet useless doorstops thanks to the cloud services they rely on also shutting down. Perhaps that’s better than continuing to work as part of a botnet?

On the one hand, there’s a huge demand for products from companies like Hikvision because they offer good functionality at a low price. On the other hand, when buyers reap the rewards of their choices in the form of vulnerabilities and exploits, there’s a tendency to point out that the Chinese state owns the company and that “Russian cyber criminal forums are awash with hackers looking to collaborate on exploiting Hikvision cameras” (thereby hitting two “evil empires” with one stone).

IoT devices are relatively new in many industries, and it will take longer for cybersecurity methods to reach the levels of ubiquity that help protect servers, laptops, and to a lesser extent, phones. There are plenty of vendors featured on these pages that specialize in IIoT and IoT protection, but until using them becomes the norm, it remains a case of caveat emptor for any IoT device intended to be networked.