Let’s imagine for a moment a person who hacks into an Internet-connected digital camera used in an organization. Then he quietly spies on a meeting where important arrangements are being discussed, a manufacturing process is being described, or internal training is being conducted. We can now imagine what this person could do with the information he received. This is exactly the scenario that threatens many organizations around the world without even realizing it.
One in 12 organizations with webcams that “look” straight at the Internet fail to properly secure them, according to a new report on insecure IoT devices from BitSight. Such a picture leaves these companies vulnerable to compromise.
3% of organizations tracked by BitSight have at least one video or audio device with a direct Internet connection. By conducting video or audio meetings, they have practically enabled unauthorized persons to monitor the discussions, to eavesdrop on the conversations.
Which organizations are most at risk?
The organizations analyzed include those in the hospitality, education, technology and government sectors. Of these, the field of education is exposed to the greatest risk. There, one in four use Internet-enabled webcams – or similar devices susceptible to video or audio compromise.
Many of the Fortune 1,000 companies suffered the most exposure, the analyst firm said. Among them there are those that we can hardly assume could be technologically vulnerable – telecoms, technology companies.
Most of the devices analyzed by BitSight use the Real-Time Streaming Protocol to communicate over the Internet, although some use HTTP and HTTPS. Through RTSP, users can send video and audio content and execute commands to record, play, and pause the feed.
Although many of the devices examined for the report were webcams, the analysis also covered network video recorders, smart doorbells, and smart vacuum cleaners.
Why are they at risk?
The “internet-facing” devices analyzed were not behind a firewall or VPN. This leaves them open to attack.
Some of the devices in question were misconfigured. Still others were left without any user-set password at all. There are also those that have been affected by a specific access control vulnerability called IDOR.
IDOR vulnerabilities have become an increasingly worrisome phenomenon recently, according to BitSight. In 2022, BitSight discovered several critical similar vulnerabilities in a popular car GPS tracker. Designated as CVE-2022-34150, this flaw could allow an attacker to obtain information from the device regardless of the user account associated with it.
Video and audio communications should be protected by access control measures; however, many are not protected in this way, allowing attackers to “peek” into conference connections and spy on conversations. A skilled hacker can even change the content being exchanged to spread false information, BitSight explains.
Some of the areas “viewed” by vulnerable web cameras include manufacturing facilities, laboratories, meeting rooms, school buildings and hotel lobbies. What this means?
Vulnerable webcams and other IoT devices open the door to several types of threats. An attacker can track important meetings and conversations, which in turn gives them the opportunity to collect personal data or compromise information exchanged through video or audio discussions. The actual locations of employees, managers and other important people can be revealed. In addition, the hacker can gain access to other activities related to the business, which will allow him to collect sensitive information not only of the company, but also of third parties.
Exposed information can even compromise physical security. Some of the webcams analyzed by BitSight monitor secure doors and rooms, potentially giving criminals the information they need to breach access.
Needless to say, the overall cyber security of the organization can also be put at risk in this way. Access to vulnerable audio and video devices gives attackers more data to compromise internal IT systems and networks.
To help organizations reduce the risks of unsecured webcams connected directly to the Internet, BitSight offers several tips. All internal devices of this type should be reviewed, along with those of existing partner organizations.
“Put all vulnerable devices behind a firewall or VPN,” analysts recommend. Each camera should be protected by means of access control.
It is important to track software vulnerabilities. In these cases, the manufacturer should have provided a software patch or other way to protect the device. If the vendor is unable or unwilling to provide a fix, the only option is to switch to another device, preferably a different brand.
“This research shows that even innocent everyday technologies like webcams can leave organizations highly vulnerable,” said BitSight Chief Risk Officer Derek Vadala.