According to reports published by a pair of top security firms and later echoed by both BleepingComputer and Slashdot, IoT machines aren’t nearly as secure as originally believed. Networked devices like baby monitors, security cameras and other small IoT units designed to transmit data over wireless connections have been continually compromised since they were released.
Two reports got released in the last nine months that cover this issue. Both of them state that camera and other IoT device vendors configure their units to work with user-friendly mobile apps. These apps empower users who want to control their devices from remote locations.
Almost all users of these devices take advantage of this sort of functionality in order to keep an eye on video or audio streams from remote locations. In most cases, people are able to watch their cameras from anywhere that they can connect to Wi-Fi or receive a cellular signal.
Mobile apps require users to enter device ID numbers as well as a password found on the device, which is similar to the privacy scheme used by most wireless modems and routers. The app then connects to a vendor’s cloud server and the server then establishes connections to each device based on the ID number as well as the IP address the device is reporting from.
Unfortunately, all of these extraneous layers provide attack vectors. While remote cloud servers are usually secure, if they’re compromised then they can be used for nefarious purposes.
In some cases, attackers have been able to take over the devices and perform network scans with them.
One of the major problems is that IP cameras often feature public-facing IP addresses as a result of this system, which can be a serious issue as it allows attackers to find out where cameras are positioned in networking terms.
Dropping traffic by default and white listing only what you need, similar to how proper workstations manage firewalls, is the best way to alleviate this issue. Diligence is always important, and those that connect any device to a network should be aware of the potential implications of what could happen.
Users are now being urged to ensure that all relevant security updates are installed on their IoT devices as well as personal ones in the hopes of reducing the risks of these sorts of attacks.