Unlucky for some users: Korean manufacturer races to patch vulnerabilities.
Researchers have uncovered serious security holes in a popular security camera range. The flaws could enable hackers to infiltrate networks and launch attacks on connected infrastructures.
Thirteen bugs have been found in the SmartCam range made by South Korean company, Hanwha Techwin. The cameras are sold to European SMEs and consumers.
Via the flaws, attackers could gain access to a camera, send voice messages to its onboard speaker, or use its resources for cryptocurrency mining, said Vladimir Dashchenko, head of the ICS CERT Vulnerability Research Team at security vendor Kaspersky Lab.
Among the vulnerabilities are the use of insecure HTTP, root privilege remote command execution, and zero protection from brute force attacks for the camera’s admin password. Any one of these flaws could enable hackers to launch attacks from within a connected network.
The worst flaw is in a misconfigured Hanwha communications protocol used to link the cameras with Cisco Jabber, said researchers.
According to reports from Threatpost, Kaspersky Lab has shared its findings with Hanwha Techwin, leading the manufacturer to issue firmware patches for the SNH-V6410PN/PNW SmartCam. Other flaws are expected to be patched soon.
Threatpost described the camera as being “riddled” with security holes.
Researchers said that 2,000 of the cameras have publicly accessible IP addresses, but the number of vulnerable devices could be far higher than that. Other cameras from the same vendor are thought to be at risk too.
“We believe there are even more of these cameras in use, but inside protected networks,” said Dashchenko.
“A remote attacker can also put a camera out of service so it can no longer be restored. We were able to prove this hypothesis three times,” he added.
For attacks to be successful, a hacker must know the serial number of the camera, but this is easy to find. “The way in which serial numbers are generated is relatively easy to find out through simple brute-force attacks: the camera registering system doesn’t have brute force protection,” explained Kaspersky Lab.
Internet of Business says
Hanwha Techwin was founded in 1977 as Samsung Techwin, but has been part of the Hanwha Group since 2015. It makes surveillance, aeronautics, and weapons systems.
So the fact that such basic security vulnerabilities have been found in a product made by a surveillance and weapons system specialist, whose technology has 41 years of heritage behind it, is a major cause for concern.
The reports come in the wake of security and privacy flaws being found in a range of popular smart home devices, including Amazon’s Alexa-powered range, and other reports suggesting that poor IoT security is a growing problem as vendors and users rush to deploy connected solutions.
This latest security story reveals that the latter must now be seen as a serious challenge for IoT professionals.
This is why recent government moves to put security testing front and centre of any IoT purchase are welcome, and it is also why IoT security needs to be regarded as a strategic business issue in far more organisations.