How IoT Security Cameras Are Susceptible to Cyber Attacks

The proliferation of Internet of Things (IoT) devices - more specifically, security cameras - has forced organizations to rethink how they protect their physical hardware.

Security cameras represent some of the most common IoT devices installed in business and commercial environments. Recent estimates suggest the smart camera market is expected to grow at an astronomical rate, reaching a potential valuation of $12.71 billion by 2030, growing at a Compound Annual Growth Rate of 10%. Hundreds of millions of units are already deployed worldwide, offering untold levels of convenience and real-time monitoring.

Security teams both on- and off-site can now observe facilities and premises remotely and with razor-sharp precision, receive real-time alerts, and communicate through multi-channel audio features. Suffice it to say, IoT cameras are here to stay.

However, this rise in IoT camera adoption has also unearthed a range of severe cybersecurity risks. Each camera has the potential to expand an organization’s attack surface and risk exposure, creating new vulnerabilities that opportunistic and calculating malicious actors will exploit without hesitation.

It’s therefore crucial that security professionals understand the range of evolving vulnerabilities that could plague IoT camera systems. This is true for professionals working for an organization in-house, as well as those offering managed B2B security services. With this knowledge, more effective and comprehensive defense strategies can be adopted and risks can be mitigated with more confidence.

Looking at IoT Security Camera Applications and Configurations

IoT security cameras have become irreplaceable across various sectors. Their presence in environments ranging from corporate offices and healthcare facilities to retail outlets, warehouses, and vacant properties, has solidified their nearly ubiquitous presence.

The round-the-clock surveillance and monitoring capabilities offered by IoT CCTV systems makes them invaluable for securing vacant properties and minimizing damage from break-ins or environmental hazards. They also act as crucial pieces of evidence in legal cases. Fundamentally, however, they help organizations maintain oversight and control over their estate and ensure that no unauthorized personnel gain access to their critical infrastructure.

However, IoT cameras are not innately impenetrable from invisible, covert cybersecurity risks.

Default Configuration

A common IoT camera security risk lies in the use of default credentials. Industry research suggests that a large percentage of deployed IoT cameras retain their factory-set usernames and passwords, which are not changed upon receipt, thus creating an easily exploitable entry point for malicious actors. Attackers can scan networks for these devices and attempt to authenticate and gain access to them using known default logins and passwords.

A notable incident saw video surveillance provider Verkada experience a breach where attackers accessed live feeds from over 150,000 cameras in factories, schools, hospitals and even prisons. Legitimate administration account credentials were found to be exposed online.

Firmware and Updates

IoT cameras must be regularly patched with firmware and software upgrades to secure known vulnerabilities. Some IoT devices outside of an enterprise IT environment may not have automatic update mechanisms configured, meaning manual intervention is necessary. As newer IoT devices enter the market, support for legacy cameras and networks becomes obsolete, meaning that vulnerabilities could be exploited more easily.

Network Exposure

IoT cameras run on secure internet connectivity to enable remote monitoring and access control. If pathways are not encrypted or isolated, external attackers could be lurking, waiting to intercept, especially if external cameras are improperly segmented from central, secure, enterprise networks. Without appropriate network segmentation, just one compromised camera feed can serve as an entry point to the wider corporate infrastructure.

Common IoT Device Attack Vectors

Attackers target IoT security cameras in several known and covert ways:

Unauthorized video exfiltration: One common entry point for attackers is to gain unsupervised access to video feeds. In December 2020, a security camera manufacturer was subject to a lawsuit which alleged that malicious external actors had hijacked cameras to harass families and individuals, demanding ransoms, making death threats and generally behaving antisocially and aggressively. Such an attack can resemble the same methods used in corporate espionage, where opportunistic cybercriminals and even competitors can monitor the activities of notable people in an organization.

Botnets: IoT cameras possess enough processing power to act as valuable botnets. The infamous Mirai botnet, which caused huge internet disruptions in 2016, specifically targeted IoT devices, including security cameras. Identifying devices with default username and password credentials allowed Mirai to convert them into network nodes for launching Distributed Denial-of-Service (DDoS) attacks. An evolved variant of the Mirai attack occurred in 2018 targeting CCTV cameras, creating a botnet that disrupted internet services across the East Coast of the U.S., where owners were unaware of their participation and involvement.

Physical breaches: Some sophisticated cyber attacks involve the manipulation of feeds or the compromise of cameras to plan physical breaches on a company’s premises. Camera feeds and locations can unveil blind spots and optimal entry points, increasing a criminal’s chances of successful intrusion. Feeds can be manipulated to the point where black screens or old footage can be relayed to conceal physical intrusion attempts.

How to Prevent IoT Camera Compromise

Several protection measures are essential to secure security cameras in business settings:

1. Maintain an accurate inventory of all cameras, including make, model, firmware version, location, and assigned credentials.
2. Scan the network to identify unauthorized or obsolete devices that may otherwise remain vulnerable.
3. Implement strict policies to set unique, complex passwords for each camera and hardware device.
4. Implement certificate-based authentication where supported.
5. Delegate access control to authorized personnel based on the principle of least privilege.
6. Place IoT cameras on isolated network segments with strict firewall protection rules governing their communication.
7. Establish routine patch management processes and manual scans for identifying and managing firmware upgrades.
8. Consider replacing cameras that no longer receive manufacturer or software provider support.
9. Ensure all video transmissions from cameras are completed on strong encrypted pathways to prevent external interception.
10. Implement robust, enterprise-wide monitoring systems that can detect unusual camera usage or movements (e.g. unexpected outbound connections or communication with suspicious IP addresses).

In home-based settings, many of the same rules apply:

1. Set a secure password on all cameras.
2. Keep an inventory of your cameras and their purchase dates.
3. Make sure that you know all your camera locations.
4. Create a calendar reminder to log into the manufacturer’s site to check for security updates.

Enterprise Security Solutions

It’s clear that IoT security cameras have a firm place in modern enterprise environments, and their role in securing physical perimeters and assets on-site can be invaluable. However, their interconnected nature introduces several sophisticated cyber risks that must not be ignored.

Understanding these common attack vectors, entry points, and remediation measures can help organizations fortify their incumbent defense strategies and maintain an IoT network of cameras that stays resilient in the face of evolving cyber threats.

For more comprehensive network and system coverage, consider Fortra’s full-service security solutions, which encompass a vast suite of fully-managed products and services that ensure any organization’s (however complex) IoT setup is as secure and robust as can possibly be. Cybersecurity must be considered at all levels within any organization, from the initial procurement of any hardware through to ongoing management and ‌its eventual decommissioning. Don’t let your hardware become an entry point to malicious cybercriminals looking to exploit your data and assets.

Disclaimer: This article is for informational purposes and should not be considered definitive security guidance. Always consult with cybersecurity professionals for specific organizational needs.

Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor and do not necessarily reflect those of Fortra.