As gear joins the internet of things, our networks become more vulnerable. That new IP-enabled camera might be an open invitation for hackers
In October 2016, the largest-ever internet denial-of-service attacks took place. The attack targeted systems operated by Domain Name System provider Dyn and disrupted huge swathes of the internet in the US and Europe, including major websites and platforms like Amazon, Netflix and Twitter.
The 2016 assault took the form of a distributed denial-of-service (DDOS) attack, launched from multiple IP addresses simultaneously. With the flood of traffic coming from multiple computers – sometimes hundreds or thousands – and exceeding a terabit per second, the victimised sites are unable to effectively defend themselves and are impossible to access, or go down altogether.
The culprit was a botnet called Mirai. Mirai, however, wasn’t running on typical desktop computers. Its speciality is devices on the internet of things (IOT) – smart TVs, Wi-Fi access points, routers and IP cameras. Anyone involved in online streaming probably owns several of the devices on that list, and might even rely on those devices for their income.
Richard Stiennon is chief research analyst at IT-Harvest, an organisation he founded specifically to consult on IT security. He describes Mirai as ‘the very best example’. He adds: “It infected hundreds of thousands of CCTV cameras designed for monitoring children’s cribs and babies. Everyone was looking for Chinese or Russian causes or something like that.” But the real problem, he says, was simpler: “All those devices had default passwords.”
It is now becoming possible for video equipment to be used in the same way. Cameras increasingly offer wireless links over 4G, 5G or Wi-Fi, proxy file upload, or full video-over-IP technology. There is currently no suggestion that any particular product might be insecure, but Stiennon betrays little confidence.
“It’s a niche market, so there’s only going to be a hundred different cameras, each selling a few thousand copies. It won’t be a huge thing, but because it will be so eminently hackable, the hackers will want to get into them.”
Dhruv Mehrotra describes himself as a software developer who works on “increasingly political projects”, with an interest in security and network maintenance. Last year, he contributed data analysis to an investigation written by Kashmir Hill and Surya Mattu, and published on Gizmodo under the title “The House That Spied On Me” (bit.ly/HouseThatSpiedOnMe). Mehrotra’s analysis assessed data leakage from smart home devices. “It’s good to start with the assumption that by being on the network you’ve opened yourself up.”
Something as simple as a control panel for the device’s settings might be a vector for attack. Often, control panels are delivered as a web page, making the device a fully fledged web server, just as much as any other on the internet.
“Even if it’s just serving up a web page,” Mehrotra continues, “via that, there’s password protection they could try to brute force.” This means trying long lists of common passwords, an attack that can be mitigated by limiting the rate at which passwords can be tried.
Sending data over a public network raises other concerns. Mehrotra again: “Cellphone networks are famously insecure. Using the cellphone network as a delivery vehicle for this content is a scary thing, especially if you’re in a country where the networks are operated by a government. I can tell you about our experience in Nicaragua where we operate a sort of DIY cellphone network. When there’s political instability the government wants us to stop access to Facebook, things like that.”
Exactly this sort of concern is key to organisations, such as Witness, which describes itself as “making it possible for anyone, anywhere to use video and technology to protect and defend human rights.” Matisse Bustos-Hawkes is associate director of communications and engagement at Witness.
“Livestreaming is something that we’ve seen activists return to again and again with some enthusiasm,” she says, “and we have concerns about information being transmitted – where a particularly vulnerable person may be, for instance. We’re thinking about the way to enable people with the skills to shoot better video, or just be simply more watchable. But we’re also concerned with people acting in the interests of their own security. The obvious plus sides of being able to reach a lot of people with their message may obscure the risks they’re exposing themselves to.”
So our increasing number of IOT tools are at risk of becoming part of an attack network, or of betraying the user to Big Brother. Is there any solution?
Stiennon starts with the basics. “Especially for high-end devices, you need to update them frequently, patch them, make sure the passwords aren’t the default. Make it long, uncrackable, write it down and put it on a piece of paper in your wallet. The hackers are going to be remote. If they steal your wallet, you have bigger problems.”
In the end, though, there’s a feeling of inevitability.
“Everyone’s going to get hacked and they’ll fix their stuff, and they’ll pay back the security debt that they incurred from being networked and on the internet.”
Witness’s Bustos-Hawkes says that the organisation has been ringing the alarm about why encryption is important and why security protocols matter. “But manufacturers haven’t been very responsive about it. I understand you can’t commandeer the roadmap for a product just because journalists need to be protected, but perhaps people should be pushing back from an intellectual property perspective. What would it mean if a camera broadcasting a sports event had its feed commandeered and broadcast on a channel that didn’t have the rights?”
A manufacturer might bring in a consulting company to attack a new device with the idea of uncovering its weak points, an approach called penetration testing, or pentesting. Stiennon suggests a budget of $100,000 (£77,500) for pentesting – a bargain, when you consider Rutgers University’s spend of three times that on emergency measures to mitigate Mirai attacks.
“An alternative that a company might turn to is to offer a bug bounty, crowdsourcing your security. The danger there is you draw attention to yourself from hacker types who might want to get paid in Bitcoin. They might decide that the vulnerabilities they find are more valuable on the open market.”
The Mirai botnet was tracked down to three young American computer hackers, Paras Jha, Josiah White and Dalton Norman. They were sentenced to 2,500 hours of community service and ordered to pay $127,000 (£98,400) in restitution, a pretty light sentence for stealing hundreds of thousands of business hours. The three are also required to cooperate with the FBI and other law enforcement agencies in other cybercrime investigations, and cybersecurity research.
To be clear, FEED knows of no evidence of inherent vulnerabilities in any specific video devices or brands. We did approach several prominent companies making network-enabled film and television production devices for inclusion in this article. At the time of writing, one had not substantively responded, and all the others expressly declined to comment.
This article originally appeared in the February 2019 issue of FEED magazine.