When you start testing the security of IP cameras and the first thing you see is a sticker on one displaying its default login credentials, then you know you’re in for a fun time. That’s what NCC Group experienced when it tested IP cameras designed for connection to networks.
The company tested devices from companies including ieGeek, TP-Link and Neos. It discovered a trail of security missteps. Here are some of them:
Default logins in clear view: The ieGeek camera had a sticker on the side displaying the default admin username and password, both of which were “admin.” Nice!
Plain text data transfer: The ieGeek camera sent all camera data, including control information and video streams, back to Chinese servers in plain text.
Vulnerable to ancient exploits: The TP-Link Tapo camera was vulnerable to the Heartbleed vulnerability, which was discovered six years ago (the vendor has since patched this). NCC chained this vulnerability, grabbing the MD5 hash and using it in another attack to access the camera’s API, turn off its privacy mode and access its video stream.
Inadequate encryption: The ieGeek and Neos cameras both stored hashed admin credentials using DES, which has been deprecated due to its relatively short key lengths. NCC cracked these hashes on both units.
Insecure web applications: The ieGeek camera’s web interface gave up the contexts of its SD card (including video footage) along with its log files and the front-end code of the web interface itself.
Insecure authentication: ieGeek used Basic Authentication, a protocol that takes login credentials as part of the HTTP header. This is an insecure practice that many online services, including Microsoft and Google, are phasing out.
Debug ports enabled by default: The UART pins (which allow the device to send and receive serial data) were enabled by default on the ieGeek and Neos Smartcam cameras. This enabled NCC to get shell access on the ieGeek unit and to bypass the login screen on the Neos device altogether.
What does all this teach us? Some IoT companies aren’t improving their security in response to continued pressure across the industry. They’re not following basic firmware development practices or locking down hardware before it leaves the factory in spite of laws such as California’s and the UK’s forthcoming IoT legislation, along with regulators to enforce them. Neither are they patching long-known vulnerabilities.
NCC Group hopes that more legislation will help bring sloppy IoT vendors to heel, but it isn’t guaranteed. “This can only happen if standards are followed correctly and only if failures in, or vulnerable divergences from, baseline security are penalized through regulation or legislation,” it concluded.
In the meantime, expect to see more horror stories as the risk of camera hacking rises.
