FortiGuard Labs Telemetry – Round up of 2016 IoT Threats (Part 3) – IP Cameras

More from our ongoing IoT threat research series. Previous post here.

IP Cameras

IP cameras were the second most attacked devices in 2015, at around 363,000 hits. But in 2016 the number dropped to approximately 36,000 hits, as shown below:

Let’s analyze our IP camera IPS triggers to see what’s going on for both of these years:

In 2015, the “Zavio.IP.Cam.wireless_mft.cgi.Command.Injection” (http://fortiguard.com/encyclopedia/ips/37621) triggered the most hits (~ 96%) in the IP camera category. It exploited a vulnerability that allowed threat actors to inject and execute arbitrary commands via a specially crafted URL on affected devices. This vulnerability was found around mid-2013, but the manufacturers have thus far not publicly announced any fixes. Not having any known fixes available likely made this vulnerability a favorite target for threat actors in 2015.

In 2016, however, we saw the number of IP camera signature hits decrease by almost 10x. We also observed that a new vulnerability, “Linksys.Web.Camera.Next.File.Disclosure” (http://fortiguard.com/encyclopedia/ips/13907) triggered the most hits in the IP camera category, comprising ~ 46% of all attacks detected. This is a file disclosure vulnerability that allows threat actors to read arbitrary files via a specially crafted URL on affected devices.

Let’s take a look at how widespread the “Linksys.Web.Camera.Next.File.Disclosure” vulnerability is in 2016, from both a global and regional perspective:

Linksys.Web.Camera.Next.File.Disclosure – Top 10 Countries 2016 (Global)

Linksys.Web.Camera.Next.File.Disclosure – Top 5 Countries 2016 (APAC)

Linksys.Web.Camera.Next.File.Disclosure – Top 10 Countries 2016 (EMEA)

Linksys.Web.Camera.Next.File.Disclosure – Top 10 Countries 2016 (Americas)

Summary

IP cameras are typically installed for security purposes to provide a user with a remote view of their premises or property. To enable that remote view, IP cameras need to be accessible from the internet. In a home network for example, the home router needs to be configured to perform port forwarding in order to enable access to the IP camera located in the user’s home network. If the IP camera is not properly secured (eg. configured with a strong password, installed with the latest firmware to fix known vulnerabilities), threat actors could scan the internet for these devices and exploit them easily. This exploit is made easier with hacked webcam websites like  https://www.shodan.io/. An exploited IP camera allows the threat actor to see the camera video feed, and some of these vulnerabilities also allow the camera to be repurposed as part of a DDoS botnet

Many newer IP cameras are now configured with “P2P” or “cloud-based” capabilities. Usually, a user simply plugs the camera into a network that can access the internet, downloads an app for the IP camera to his/her smartphone, scans a QR code assigned to the IP camera, and voila! he/she can now access the IP camera from the internet via the app (i.e. no messing around with home router port forwarding configurations needed).

Which may explain the decline in IP camera signature hits when comparing 2015 vs 2016? This may be due to more home users preferring to use the P2P/Cloud-based method of accessing their IP cameras from home, which effectively reduce the attack surface of vulnerable IP cameras that are directly accessible from the internet. However, these P2P or cloud-based protocols may also create another layer of security risks as highlighted here, and would likely be the next target for compromising both the IoT device and cloud service.

FortiCameras

It is important to note that these vulnerabilities and resulting attacks were not necessary. For example, we did not detect any successful attacks against our line of Fortinet cameras.

That’s because the architecture of the FortiCamera shields the camera network from the public or internet network. By physically separating traffic and not routing between ports, FortiRecorder acts as a secure proxy for all camera related traffic. Camera configuration is also done through the recorder GUI, and therefore does not expose the camera GUI to the web, while access to the recorder is protected using https. The recorder also manages firmware updates for the cameras, FortiCameras do not have P2P or cloud access enabled.

These are common sense best security practices for connected IoT devices, and could easily be added to any IP camera solution if security were a priority.

Sign up for weekly Fortinet FortiGuard Labs Threat Intelligence Briefs and stay on top of the newest emerging threats.