IoT cameras have major security vulnerabilities, says Bitdefender

Reading time icon 3 min. read

Readers help support Windows Report. When you make a purchase using links on our site, we may earn an affiliate commission. Tooltip Icon

Read the affiliate disclosure page to find out how can you help Windows Report effortlessly and without spending any money. Read more

A message from our partner

To fix Windows PC system issues, you will need a dedicated tool

  • Download Fortect and install it on your PC
  • Start the tool's scanning process to look for corrupt files that are the source of your problem
  • Right-click on Start Repair so the tool could start the fixing algorythm
Download from Fortect has been downloaded by 0 readers this month, rated 4.4 on TrustPilot

Bitfedender recently detected major privacy vulnerabilities in IoT cameras that allow hackers to hijack and turn these devices into full-fledged spying tools.

The camera analyzed by Bitdefender is used for monitoring purposes by many families and small businesses. The device includes standard monitoring features, such as a motion and sound detection system, two-way audio, built-in microphone and speaker, and temperature and humidity sensors.

The security vulnerabilies can easily be exploited during the connection process. The IoT camera creates a hotspot during configuration via a wireless network. Once installed, the corresponding mobile application establishes a connection with the device’s hotspot and connects to it automatically. The app user then introduces the credentials and the setup process is complete.

The problem is that the hotspot is open and no password is required. Moreover, the data circulating between the mobile application, IoT camera and server is not encrypted. And to make things worse, Bitdefender also detected that the network credentials are sent in plain text from the mobile app to the camera.

When the mobile app connects remotely to the device, from outside the local network, it authenticates through a security mechanism known as a Basic Access Authentication. By today’s security standards, this is considered an insecure method of authentication, unless used in conjunction with an external secure system such as SSL. Usernames and passwords are passed over wire in an unencrypted format, encoded with a Base64 scheme in transit.

As a result, an attacker can impersonate the genuine device by registering a different device, with the same MAC address. The server will connect with the device that registered last, and so will the mobile app. In this manner, attackers can capture the webcam’s password.

Anyone can use the app, just as the user would. This means turning on audio, mic and speakers to communicate with children while parents aren’t around or having undisturbed access to real-time footage from your kids’ bedroom. Clearly, this is an extremely invasive device, and its compromise leads to scary consequences.

In order to avoid privacy breaches, do a thorough research before buying an IoT device and read online reviews that may reveal privacy issues. Secondly, install a cybersecurity tool for IoTs, such as Bitdefender’s Box. These tools will scan the network and block phishing attacks and other threats.


More about the topics: IoT