IoT cameras have major security vulnerabilities, says Bitdefender

News

Reading time icon 3 min. read

Calendar icon Published on

by Madalina Dinita 

published on

Share this article

Readers help support Windows Report. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help Windows Report sustain the editorial team Read more

Bitfedender recently detected major privacy vulnerabilities in IoT cameras that allow hackers to hijack and turn these devices into full-fledged spying tools.

The camera analyzed by Bitdefender is used for monitoring purposes by many families and small businesses. The device includes standard monitoring features, such as a motion and sound detection system, two-way audio, built-in microphone and speaker, and temperature and humidity sensors.

The security vulnerabilies can easily be exploited during the connection process. The IoT camera creates a hotspot during configuration via a wireless network. Once installed, the corresponding mobile application establishes a connection with the device’s hotspot and connects to it automatically. The app user then introduces the credentials and the setup process is complete.

The problem is that the hotspot is open and no password is required. Moreover, the data circulating between the mobile application, IoT camera and server is not encrypted. And to make things worse, Bitdefender also detected that the network credentials are sent in plain text from the mobile app to the camera.

When the mobile app connects remotely to the device, from outside the local network, it authenticates through a security mechanism known as a Basic Access Authentication. By today’s security standards, this is considered an insecure method of authentication, unless used in conjunction with an external secure system such as SSL. Usernames and passwords are passed over wire in an unencrypted format, encoded with a Base64 scheme in transit.

As a result, an attacker can impersonate the genuine device by registering a different device, with the same MAC address. The server will connect with the device that registered last, and so will the mobile app. In this manner, attackers can capture the webcam’s password.

Anyone can use the app, just as the user would. This means turning on audio, mic and speakers to communicate with children while parents aren’t around or having undisturbed access to real-time footage from your kids’ bedroom. Clearly, this is an extremely invasive device, and its compromise leads to scary consequences.

In order to avoid privacy breaches, do a thorough research before buying an IoT device and read online reviews that may reveal privacy issues. Secondly, install a cybersecurity tool for IoTs, such as Bitdefender’s Box. These tools will scan the network and block phishing attacks and other threats.

RELATED STORIES YOU NEED TO CHECK OUT:

More about the topics: IoT

Madalina Dinita

Madalina Dinita Shield

Networking & Security Specialist

Madalina has been a Windows fan ever since she got her hands on her first Windows XP computer. She is interested in all things technology, especially emerging technologies -- AI and DNA computing in particular. Prior to joining the WindowsReport team, she worked in the corporate world for a number of years.