Default password on the bottom of a security camera

Many brands of webcams, security cameras, pet and baby monitors, use a woefully insecure cloud-based remote control system that can allow hackers to take over devices by performing Internet scans, modifying the device ID parameter, and using a default password to gain control over the user’s equipment and its video stream.

In the last nine months, two security firms have published research on the matter. Both pieces of research detail how the camera vendor lets customers use a mobile app to control their device from remote locations and view its video stream.

The mobile app requires the user to enter a device ID, and a password found on the device’s box or the device itself. Under the hood, the mobile app connects to the vendor’s backend cloud server, and this server establishes connections to each of the user’s device in turn, based on the device ID and the last IP address the device has reported from.

Many cameras feature silly passwords

Last year, Security Research Labs (SRLabs) published a report and gave a talk at a security conference in Berlin about this issue.

The company found that several vendors were using this “camera management scheme” but were using sequential IDs for their devices with default passwords such as “123,” “123456,” or “888888.” The company found over 810,000 devices exposed this way.

Number of devices with silly passwords

Companies using insecure management model

SRLabs said that because the IDs weren’t randomly generated, it was trivial for an attacker to create a script that connects to the vendor’s backend cloud server and attempt to add devices by cycling through the sequential device IDs and using the default password.

This simple scheme allows…