Securing IP Surveillance Cameras in the IoT Ecosystem
The security for devices connected to the Internet of Things (IoT) has been a hot topic, and Internet Protocol (IP) surveillance cameras, in particular, have been the subject of growing scrutiny. IP cameras have become a top target for hackers because of their relatively high computing power and good internet traffic throughput. A case in point was the incident toward the end of 2016 where a Linux-based botnet called Mirai was used to facilitate the largest distributed-denial-of-service (DDoS) attack in history. As a result, packet flow experienced outbursts of up to 50 times higher than its normal volume, with internet traffic estimated at a record high of 1.2 Tbps. The traffic was triggered by remote commands, and the hijacked devices were primarily IP surveillance cameras. Multiple variants of Mirai-like malware have since surfaced to further take advantage of vulnerable IP surveillance cameras. Rightfully, cybersecurity is now becoming a major consideration for IP surveillance devices, with some governments, for instance, already at work on regulations to elevate cybersecurity implementation. It is becoming a new decisive factor in the market of IP surveillance cameras. Motivations for targeting IP surveillance cameras One of the major motivations for hacking IoT devices is financial gain; and when it comes to monetization, IP surveillance cameras are distinct targets for the following reasons: Constant connectivity Like many other devices, IP cameras need to be internet-connected to function properly. However, exposure to the internet also makes it easy for hackers to find the cameras and potentially exploit the devices. Once hacked, the devices will be able to serve the hackers’ needs. Low hacking investment Unlike with hacking a PC, once hackers see a way to break the security of an IoT device such as an IP camera, the same approach can usually be applied to other devices of similar models, resulting in a very low per-device hacking cost. Lack of supervision Unlike PCs, especially those used in offices, IP cameras have low user interaction and are not well-managed in terms of security. Installation of an after market anti-malware application is not available either. High performance The idle computing power of an IP surveillance camera is usually good enough to perform hacking-related tasks such as cryptocurrency mining, and without being noticed by end users at that. High internet-facing bandwidth The always-connected, fast and huge bandwidth designed for video communications makes for a suitable target for hackers to initiate DDoS attacks. Typical attack chain The typical attack chain around IP surveillance cameras consists of the following steps. 1. Initial infection After locating a device with open ports such as Telnet, Secure Shell, and Universal Plug and Play (UPnP), the attacker uses the device’s default credentials (as with Mirai), or exploits un-patched system vulnerabilities (as with Persirai and Reaper) to gain access control. 2. Command and control After gaining control of the device, the attacker downloads and executes malicious scripts or samples that report to the command-and-control (C&C) server. That server issues commands instructing the affected IP camera to perform malicious activities such as cryptocurrency mining or DDoS attacks on other devices via user datagram protocol floods. 3. Propagation Depending on its kind, the malware used can scan the network and employ the same infection methods to propagate itself to other vulnerable devices. The attacker can trigger this action automatically (as in the case of wormlike botnets), or manually by receiving instructions from the C&C server. Risks to public and closed networks Most home IP cameras offered in the traditional, doit-yourself (DIY) consumer market are connected directly to the internet. This means that home IP cameras are exposed to the internet at a very similar level as personal computers in homes, but lacking the user capability to install security software. Although home IP cameras amount to only a small portion of all installed devices, they make up a fast-growing market because of their increasing affordability and accessibility to the general public. On the other hand, many people claim that IP cameras are not exposed to that level of risk because most products are usually designed for enterprises, which basically deploy IP cameras in local area networks and make them unsearchable on the internet. This claim may hold true, but it may overlook several real-world factors: The system integrators may not install the IP cameras as expected. In many cases, people just choose whichever approach is more convenient for them to install everything and get the devices working. Ease of maintenance is another incentive for them to do so. This explains why the IP addresses of many IP cameras that are supposed to stay in a local area network can still be found. The business model around IP cameras is changing. Service providers are using IP cameras to run customized services (such as elderly care), and making the cameras available on the internet is the easiest way for both users and remote operators to access the cameras as needed at the same time. Modern value-adding functions such as video analysis features are often deployed in the cloud to reduce the overall hardware and software costs, with the flexibility to switch specific features on or off, or to add a new feature regardless of the hardware performance of the cameras. Hooking up IP cameras to the internet at large is a clear trend. Given the considerable number of IP cameras deployed globally, a small portion of IP cameras that expose themselves on the public domain can serve as a great incentive for hackers. Another thing to consider is how network isolation is one of the frequently mentioned approaches for cybersecurity. Being in a local area network though, does not guarantee the protection of IP cameras against hacking. For one thing, well-designed malware can easily spread across the local area network, and any portable device brought into the same local area network can easily turn into an infection vector. Take the infamous Mirai botnet as an example – a Windows-based trojan plays an important role to distribute it, even though the targets are…