Candid Camera, Threats from the inside and Beyond

Published on May 15, 2013

Those of us of a certain age can remember very well when the first webcam went online. It was pointed at the coffee pot at a computer science lab within Cambridge University, and provided a simple method for employees to determine if the pot was empty before walking down the hall for a cup. The camera had actually been on the local network for several years, but once browsers became image capable it was simpler to use the web server. Of course, that had the effect of making real-time coffee pot imagery available to anyone in the world – and the concept of internet surveillance was born.

Now, of course, there are untold hundreds of millions of cameras connected to the web. The vast majority of them are standalone devices, running a rudimentary operating system a TCP/IP stack and a simple web server. You just connect them, point them at the target, and turn on the power. It’s easy to forget that these devices are connected to both the internet and the corporate network, and any vulnerability in the on-board software might allow an attacker to access the network proper. It’s not terribly surprising that we have a limited understanding of the design or architecture of such commodity devices. They certainly aren’t built with network security in mind, and in a wireless networking environment there are no barriers to any employee or department installing an IP Camera. To make matters worse, they are ubiquitous in home networks, monitoring everything from pets and children to wayward husbands. With so many users accessing the corporate network from home, a vulnerability in one of those IP Cameras can lead to a compromised enterprise network, and the corporate IT staff has no way to ever discover these essentially embedded devices.

Vulnerability researchers from Core Security did an analysis of some popular IP Cameras last month and found a wide variety of simple, exploitable vulnerabilities.  Some were both typical and common, from code injection weaknesses to partial output streams available to unauthenticated users.  But they also found hard – coded passwords, built in back doors that give an attacker full control over the network device. This sort of unnecessary, intentional security flaw would be unlikely in a modern enterprise network device, but it’s still the wild west in the world of consumer hardware. And it must be borne in mind that it is not just cameras – everything from thermostats to sprinkler systems to building access devices are being connected to the internet, and every one of these devices represents a threat to your network, your users, your customers and your data.

Once again, the lesson is simple. We have lost any ability we might have had to secure our network at the perimeter.  It’s increasingly difficult, if not impossible to even define where the perimeter is. Two things are certain. First, the network has vulnerabilities we don’t know about and can’t defend, and second, attackers often know much more about these vulnerabilities, what they are and, critically, WHERE they are, than we do. Attackers both inside and external can compromise our security – if we can’t protect against them we MUST be able to detect them. In this environment, a robust security intelligence solution like Securonix is no longer a luxury, but is rapidly becoming a very urgent necessity.