This Friday, a security researcher warned people at a conference that more than 120,000 Internet of Things cameras that are online right now can be hacked without any difficulties.
The researcher found vulnerabilities in two cameras from Chinese company Shenzhen Neo Electronic that could let hackers gain access to their video stream remotely, or take full control over the cameras, which could mean that someone could gather an Internet of Things botnet of around 150,000 devices. Alex Balan, a researcher at security firm Bitdefender was the one who found the flaw, stating that he tried to warn the company without ever getting an answer back from them. The flaws are still not fixed, and there is a possibility they’ll never be, Balan is afraid.
The cameras in question are the NIP-22 and the iDoorbell, but it is suspected that other cameras from other companies have the same bugs due to having the same firmware, Balan says. He added that there is no mechanism to update the cameras automatically or push patches to them.
These aren’t the first IoT cameras or devices that have been discovered to have a vulnerability. Just in the past few years, several flaws have been found in surveillance cameras, stuffed animals, dishwashers, crockpots and even dildos by security researchers and hackers both. The listed devices could be hacked individually, but in some of the cases, hackers found a way to enlist an enormous number of the vulnerable device in botnets. We’re talking hundreds of thousands here. The botnets in question have been used to launch distributed denial of service attacks that, in one case, crippled the internet in the east coast of the United States.
The researcher analyzed the vulnerable cameras and found two types of vulnerabilities. The first one was that the cameras in question have a default username and password combinations, which means that anyone could log into them remotely and watch the live stream. Since Friday, Shodan shows almost 130,000 vulnerable cameras. To log into the camera’s live stream, all you have to do is log in with combinations of “user, user” or “guest, guest”, Balan said.
The second type of vulnerability is a buffer overflow which lets hackers take control of the cameras remotely, which in the end lets them turn the cameras into zombie devices part of a botnet.
Shenzhen Neo did not immediately answer a request for comment.
After talking about the hack at the Def Con this Friday, Balan wants to create awareness of the flaws found it IoT devices and push researchers to go and try to find ways to hack into the said devices.
Balan stated that there isn’t enough awareness when it comes to mass hacks on IoT, but the future might just change that.