A Russian website collecting streaming images from internet-connected cameras in the UK and more than 200 other countries highlights a common security failing, say information security professionals.
A collection of our most popular articles for IT leaders from the first few months of 2016, including: - Corporate giants recruit digitally-minded outsiders to drive transformation - Analytics platforms to drive strategy in 2016 - Next generation: The changing role of IT leaders.
However, the issue also affects thousands of other internet-connected devices commonly used in the enterprise, such as routers and network-attached storage devices.
Exposed devices are easy to find using internet search engines or websites like Shodan, which publish an index of internet-exposed devices, said security consultant at MWR Info Security Guillermo Lafuente.
“If any devices discovered on Shodan or search engines were configured with default credentials, then it would be straightforward for an attacker to compromise that device,” he said.
Lafuente advised users of webcams and other internet-connected devices to ensure they always have the latest software updates and frequently change their passwords.
The issue was highlighted in May 2014 by a team of researchers from Context Information Security who found more than 200 accessible internet protocol (IP) cameras in the London area.
“We have been seeing this issue for at least the past three years,” said David Bryan, a security tester at Trustwave.
In one security test for a company, Bryan found a default password was being used to access a webcam that was pointed directly at the safe in the manager’s office.
The use of default or weak passwords is regularly highlighted by security researchers and testers as a way attackers use to access a wide variety of enterprise systems and appliances.
“Developers are also pressured to roll out devices to market quickly and cheaply – leaving little room, if any, to perform security scanning and testing during the development stage,” said Bryan.
The makers of one of the camera types hijacked by the Russian website told the BBC only older versions were vulnerable.
Foscam said software for newer versions of its camera forces users to choose a new password to replace the default password before the device can be accessed.