Many brands of webcams, security cameras, pet and baby monitors, use a woefully insecure cloud-based remote control system that can allow hackers to take over devices by performing Internet scans, modifying the device ID parameter, and using a default password to gain control over the user’s equipment and its video stream.
In the last nine months, two security firms have published research on the matter. Both pieces of research detail how the camera vendor lets customers use a mobile app to control their device from remote locations and view its video stream.
The mobile app requires the user to enter a device ID, and a password found on the device’s box or the device itself. Under the hood, the mobile app connects to the vendor’s backend cloud server, and this server establishes connections to each of the user’s device in turn, based on the device ID and the last IP address the device has reported from.
Many cameras feature silly passwords
Last year, Security Research Labs (SRLabs) published a report and gave a talk at a security conference in Berlin about this issue.
The company found that several vendors were using this “camera management scheme” but were using sequential IDs for their devices with default passwords such as “123,” “123456,” or “888888.” The company found over 810,000 devices exposed this way.
SRLabs said that because the IDs weren’t randomly generated, it was trivial for an attacker to create a script that connects to the vendor’s backend cloud server and attempt to add devices by cycling through the sequential device IDs and using the default password.
This simple scheme allows…