IP Camera Cyberthreats in the Real World

IP cameras make for a good target for hackers. Even novice hackers are said to be taking advantage of the readily available tools in open-source communities to hack into these internet-of-things (IoT) devices. But while security experts have long been highlighting the cybersecurity risks for IP cameras, rarely, if at all, has the risk level been described in a real-world setting — with enough real products running in the field instead of simulated devices in intentionally weakened honeypots.

In late 2018, we initiated a program with VIVOTEK, a renowned IP camera manufacturer, to embed cybersecurity awareness and protection components into the firmware and ship it to market. With that, we were able to collect some insights, which we share in this article.

This article is based on an observation we conducted in January 2019. We monitored a considerable number of IP cameras (on the order of thousands) in terms of cybersecurity indicators and found some interesting points. Here are the key points that we learned from our observation:
  • • A considerable percentage of IP cameras (10 to 15 percent) are exposed to the public on the internet.
  • • Closing unused ports prevents more than 80 percent of malicious or unwanted traffic
  • • Brute-force login is a very common approach to begin with.
  • • Around 4 percent of incoming security incidents contain malicious payload.

Exposure to the Public Network

As mentioned in a previous article, most IP camera makers claim their devices are mainly deployed in a private network. This is a reasonable belief considering that, typically, consumer models sit behind a home router, models focused on industrial control systems (ICSs) sit inside an isolated facility like a factory, and the remaining ones deployed in the public area are shipped at a relatively small volume because of the higher price.

However, this theory was never verified until now. By matching up the actual shipment volume and the unique sample volume we received, we can conclude that around 10 to 15 percent of Vivotek cameras embedded with Trend Micro cybersecurity components were installed in an environment that allowed access to the internet. If this is an industry norm, we can expect more than a million IP cameras to be exposed to the public network in a single year, available to be explored on the IoT search engine Shodan. It makes perfect sense, then, for hackers to pursue IP cameras, because they are powerful devices with large bandwidth consumption and a huge number of them are widely available on the internet. This also makes for a perfect incentive for hackers to compromise IP cameras for cryptocurrency mining or distributed denial-of-service (DDoS) attacks.

The Rule of Least Functionality

Every cybersecurity advisor would urge developers to close ports that are not used. In this particular project, we logged all incoming and outgoing events from each device, and found that 83 percent of incoming events occurred through closed ports. This means that whether there is an additional cybersecurity implementation or not, closing ports that are not designed to be accessed already blocks more than four-fifths of unwanted incoming events.

Default and Weak Credentials

We cannot emphasize enough the importance of strong credentials. In reality, though, this is too often neglected in favor of maximizing the level of convenience. Leaked credentials do not always lead to a compromised IP camera, but they are the keys for compromised privacy and the potential risks of further exploits.

In this particular project, the remaining 17 percent of abnormal incoming messages came to the IP cameras through valid open ports, and a huge portion of them were brute-force credential attacks (13 out of 17 percent). Although many device makers are careful enough to close unused ports, some ports such as the Web service offer essential features and are thus left open at all times. A compromised credential does not necessarily lead to a system outbreak, but in the case of IP cameras, it often involves the infringement of personal privacy or business confidentiality.

Some countermeasures can be taken to eliminate the problem of default and weak credential abuse. Requiring users to change the default password is a common approach, and setting the retry criteria is another one widely used by developers.

The Final Frontier

In this project, only 4 percent of the abnormal network events managed to send a confirmed malicious payload to the open ports of IP cameras. This percentage might seem relatively small, but if we look at the actual total number of security events, it becomes another story. An IP camera that receives only one attack payload every day still makes for an undesirable situation, since once is all it takes for the device to be compromised.

Source: Trend Micro data as of January 2019

The underlying problem in this industry is that IP camera manufacturers do not really have the luxury to have a team dedicated to understanding, maintaining, and updating all the intrusion prevention system (IPS) rules that can address malicious packages. Collaborating with a specialized IoT security company to reduce the operation load and implement advanced security is therefore essential for IP camera manufacturers — as it is for makers and providers of other IoT devices and services. With collaborative implementation from the bottom up, IP camera manufacturers can have better visibility of the threat landscape of their products at service and better immunity to cybersecurity risks.

Recommended Video

Cybersecurity Risks in Complex IoT Environments

Company Information

Security Blog