This past week, the internet was up in a storm over an article on Shodun’s recently launched search engine for IoT. What this search engine exposes is that most web cameras home owners have are highly vulnerable to prying eyes. The feed includes images of backyards, insides of homes, and even sleeping babies.
What makes the cameras vulnerable is that they use Real Time Streaming Protocol (RTSP, port 554) to share video but have no password authentication in place. Yet, insecure webcams aren’t a new thing, back in 2013 the FTC sanctioned webcam manufacturer TRENDnet for, “lax security practices led to the exposure of the private lives of hundreds of consumers on the internet for public viewing.” Now, there are millions of insecure webcams connected to the internet, so why are things getting worse?
Consumers Want Things Cheap
A quick Google search for webcams brings up a ton of results, with some cameras selling as low as five dollars. Do you think a company that sells a five dollar webcam makes cyber security a priority on their platform ? The technology community has put out a number of warnings about how insecure these items are, but that still hasn’t made a difference. Developers need to implement security around their solutions and consumers need to buy from trusted sources --- not just the lowest cost provider
The FTC Could Play an Impact on the Security of IoT
Last year the FTC issued security best practices for IoT manufacturers:
“The only way for the Internet of Things to reach its full potential for innovation is with the trust of American consumers,” said FTC Chairwoman Edith Ramirez. “We believe that by adopting the best practices we’ve laid out, businesses will be better able to provide consumers the protections they want and allow the benefits of the Internet of Things to be fully realized.”
The report includes the following recommendations for companies developing Internet of Things devices:
- build security into devices at the outset, rather than as an afterthought in the design process;
- train employees about the importance of security, and ensure that security is managed at an appropriate level in the organization;
- ensure that when outside service providers are hired, that those providers are capable of maintaining reasonable security, and provide reasonable oversight of the providers;
- when a security risk is identified, consider a “defense-in-depth” strategy whereby multiple layers of security may be used to defend against a particular risk;
- consider measures to keep unauthorized users from accessing a consumer’s device, data, or personal information stored on the network;
- monitor connected devices throughout their expected life cycle, and where feasible, provide security patches to cover known risks.
Mitigating risk can only get us so far until we can somehow stop deliberate attacks, so while security is being only considered as an afterthought, IoT devices are in for a bumpy ride. Please remember to password protect anything and everything that is connected to the internet, especially your web camera.