IoT cameras have major security vulnerabilities, says Bitdefender

by Madalina Dinita
Madalina Dinita
Madalina Dinita
Windows & Software Expert
Madalina has been a Windows fan ever since she got her hands on her first Windows XP computer. She is interested in all things technology, especially emerging technologies... read more
Affiliate Disclosure

Bitfedender recently detected major privacy vulnerabilities in IoT cameras that allow hackers to hijack and turn these devices into full-fledged spying tools.

The camera analyzed by Bitdefender is used for monitoring purposes by many families and small businesses. The device includes standard monitoring features, such as a motion and sound detection system, two-way audio, built-in microphone and speaker, and temperature and humidity sensors.

The security vulnerabilies can easily be exploited during the connection process. The IoT camera creates a hotspot during configuration via a wireless network. Once installed, the corresponding mobile application establishes a connection with the device’s hotspot and connects to it automatically. The app user then introduces the credentials and the setup process is complete.

The problem is that the hotspot is open and no password is required. Moreover, the data circulating between the mobile application, IoT camera and server is not encrypted. And to make things worse, Bitdefender also detected that the network credentials are sent in plain text from the mobile app to the camera.

When the mobile app connects remotely to the device, from outside the local network, it authenticates through a security mechanism known as a Basic Access Authentication. By today’s security standards, this is considered an insecure method of authentication, unless used in conjunction with an external secure system such as SSL. Usernames and passwords are passed over wire in an unencrypted format, encoded with a Base64 scheme in transit.

As a result, an attacker can impersonate the genuine device by registering a different device, with the same MAC address. The server will connect with the device that registered last, and so will the mobile app. In this manner, attackers can capture the webcam’s password.

Anyone can use the app, just as the user would. This means turning on audio, mic and speakers to communicate with children while parents aren’t around or having undisturbed access to real-time footage from your kids’ bedroom. Clearly, this is an extremely invasive device, and its compromise leads to scary consequences.

In order to avoid privacy breaches, do a thorough research before buying an IoT device and read online reviews that may reveal privacy issues. Secondly, install a cybersecurity tool for IoTs, such as Bitdefender’s Box. These tools will scan the network and block phishing attacks and other threats.


This article covers:Topics: