The state of “security by design” (or lack thereof) in Internet of Things (IoT) devices is once again in the headlines, as Ukraine’s military has asked the country’s residents to turn off private surveillance cameras due to rampant hacking of them by Russia.
The issue has come to a head since the new year started as Russia has waged a heavy and sustained bombing campaign against Kyiv. The Security Service of Ukraine (SSU) says that some of these attacks have been informed by hacking of residential cameras that can be redirected to look over targets of interest, such as air defense and power systems. The agency did not detail security failings in any of these cases, but many inexpensive WiFi surveillance cameras are still manufactured such that they cannot be readily secured by their owners.
“Security by design” still eludes many connected devices
Hacking of private security cameras is far from a new development in war, and Ukraine is likely doing some of this as well. But it also seems that it has never been easier, with IP cameras being very inexpensive yet also not much more secure than they have been in years past.
The market of connected devices is still one in which manufacturing cost concerns are king, and regulations are only beginning to address the issue of forcing these manufacturers to implement strong out-of-the-box protection. Even well-meaning and competent IT teams struggle to keep these devices secure in business settings, especially when the company buys them in large volumes and they are not kitted out with features that easily slot them into network security schemes.
When it comes to surveillance cameras, sometimes the risk is simply overlooked. Even competent security teams often assume that a local camera meant to monitor the property is not something that hackers will bother digging for. But even if hackers have no interest in watching the feed, these cameras can have other uses: a potential point of entry for lateral network movement, or as another piece of a botnet.
Organizations are increasingly seeing IoT devices outnumber traditional IT devices, and rates of 10-to-1 are not uncommon. But surveillance cameras and other devices also often do not offer firmware or software updates, and sometimes even do not make it possible to create strong passwords. That leaves some tough questions about how to manage this sprawling web of internet-connected devices, particularly when many organizations do not even have a complete inventory of them.
Russian hackers target adjustable IP surveillance cameras
For their part, the Ukrainian military has a simple proscription for surveillance cameras: turn them off, at least until the war is over.
Officials have already ordered about 10,000 of these cameras blocked from the internet, and it is asking anyone with a surveillance camera that could potentially film a target of interest to disconnect it. Russia has used hacked cameras to gather intelligence on targets for its drones and missiles, which have been heavily pounding Kyiv since January 2 and have disrupted the supply of electricity to about 250,000 in the city.
In the two cases that Ukrainian officials shared with the media, hacked surveillance cameras were mounted on residential properties and turned to face a critical infrastructure target. One was mounted on an apartment building, another overlooked a residential parking lot. Russian hackers have previously been observed taking control of the cameras in coffee shops to keep watch for troop or material movements on the streets outside.
What can be done about surveillance camera security in the near term? The best measures come at the time of purchase. All cameras (and IoT devices in general) should be inventoried as they are deployed, and need to be researched before purchase to ensure that they allow for setting and changing strong passwords and for some means of addressing vulnerabilities that might develop. Organizations also might review remote services and connectivity features to ensure they are not creating a perch for attackers to use these devices as a base to attack from.