Exposed credentials
Credentials can be exposed to unintended users in several ways. In the IP-camera world, several Hikvision cameras were affected by the ‘password in configuration file’ vulnerability, CVE-2017-7923, which allowed a malicious user to escalate privileges or assume the identity of another user.
Unencrypted communication
This is another common vulnerability that affects several IP cameras, best understood by the examples given below:
- CVE-2022-30563: Affected Dahua’s IP cameras. The attacker could launch a man-in-the-middle attack and sniff the unencrypted ONVIF interactions. Then, by replaying the user’s login packet, they could gain full access to the camera.
- CVE-2020-25748: This was found on certain Rubetek cameras. The video feed was transmitted unencrypted over a cleartext protocol, allowing potential interception and modification of the video.
- CVE-2018-7698: Affected specific D-Link cameras. The mydlink+ app sends the unencrypted username and password for certain connected D-Link cameras from the app to the camera, allowing full control of the camera to intercept attackers.
Cross-site scripting (XSS)
XSS is a vulnerability related to the web interface provided to the user. Attackers exploiting XSS vulnerabilities need to send the user a link to the web application infused with malicious scripts. If a user clicks on this link, the requested web application will open, but the malicious script will also be executed if the application is not properly secured. D-Link IP Camera DCS-2103 and cameras by Eyeplusiot.com are examples of vulnerable cameras.
Cross-site request forgery (CSRF)
While XSS exploits the user’s trust in the application, CSRF exploits the application’s trust in an authenticated user. This vulnerability forces an authenticated user to submit an unintended request to a web application they are authenticated against.
The attacker sends the request to the application on your behalf. This vulnerability affected Bosch IP Cameras with CVE-2021-23849. If the victim was successfully tricked into clicking on a malicious link while logged into the camera, the attacker could successfully trigger actions on the camera on behalf of the user.
Directory traversal
This vulnerability allows an attacker to traverse directories of the camera’s file system, potentially accessing sensitive files. An example is CVE-2010-4231, which affected Camtron and TecVoz IP cameras. In this vulnerability, attackers could exploit a “..” traversal sequence in the URI. For example, exploiting a directory traversal vulnerability to obtain the root password for a Genie Access WIP3BVAF IP camera.
Improper access restrictions
Directories like /tmpfs or /log can be accessible without authentication, potentially revealing sensitive information in plain text format. CVE-2013-2574 is an example that affected certain FOSCAM IP cameras. The reporters of the above vulnerability accessed sensitive information, including access credentials (usernames and plaintext passwords, stored in the config_backup.bin file in the ‘tmpfs’ folder) and Wi-Fi credentials.
Memory corruption
If operations within the bounds of a memory buffer are not properly restricted, it can lead to memory corruption with unpredictable consequences, including downtime. An example is the CVE-2018-10664 vulnerability in multiple models of Axis IP cameras, wherein there was an issue in the HTTPS process. Another example is CVE-2018-19036, which affected several Bosch IP cameras. The out-of-bounds memory operation allowed an unauthorized attacker to execute code on the device.
Best practices for managing camera vulnerabilities
This section will discuss a few practices for managing the vulnerabilities mentioned above.
Automate discovery and monitoring
The first step toward managing your IP cameras is understanding the management scope. It is crucial to identify how many devices are present on your enterprise network, what specifications these devices have, and what firmware version they are running. Whether these devices are internet-facing or only communicating on the intranet can also be checked. Use tools like Shodan to identify if an intranet device inadvertently leaks data to the Internet.
Replace old devices that can’t be remotely managed.
Devices that are end-of-life (EoL) may still be supported by the vendor but have been designated as unfit for long-term use. As such, they should be treated as high-risk and prioritized for replacement. Furthermore, as EoL devices enter the End of Service-Life (EoSL) stage, they will no longer receive patches or updates, which makes them easy targets for attackers due to the certainty of successful exploitation of identified vulnerabilities. Over time, managing these devices becomes a manual effort, and they can be easily overlooked in an enterprise system containing hundreds or thousands of devices. A vulnerability in any of these devices can remain persistent and have long-term consequences on the overall health of your security system.
SecuriThings offers a software solution that simplifies the management of physical security devices. It offers centralized control, automation, and real-time monitoring. Upon deployment, the platform delivers complete visibility into the end-of-life (EOL) timeline for your entire device fleet. Additionally, it recommends suitable replacement models to ensure a smooth transition during device upgrades.
Perform regular firmware updates and automate them where possible
You can fix most of the vulnerabilities discussed in the above section via firmware updates, and manufacturers regularly release patch updates to fix the reported issues. Automating the firmware update process ensures that the vulnerabilities are fixed as soon as a fix is available.
You can set up an automated firmware upgrade routine by setting up a custom service to check with the camera manufacturer for an update (e.g., using an API) and then deploying it in a phased manner across your fleet. Alternatively, you can use enterprise solutions like those provided by SecuriThings to manage the firmware updates.
Implement strong password security practices
First, you should change the default password once the camera is set up. Next, you should enforce a strong password policy to protect against a brute-force dictionary search attack. Next, rotate passwords regularly (preferably in an automated manner). Rotation ensures that the extent of damage caused by a compromised password is limited. Finally, complement password rotation with other features, like multi-factor authentication (MFA). To limit the scope of impact in the event of password compromise or leakage, you should avoid using the same password, despite the complexity, across your IoT estate.
Encrypt data in transit
Ensure that all communication with the camera is encrypted, locally or via the cloud. Disable services like Telnet and FTP that send data in cleartext if they are not required so that your attack surface is reduced.
Enforce strict access controls
Strict access control policies based on the principle of least privilege further help reduce the attack surface. Every unnecessary access is a potential vulnerability source. Human carelessness can be an important enabler for attackers to exploit vulnerabilities, and minimizing access to the bare minimum required provides protection against it.
Follow XSS and CSRF-related best practices
As discussed in the above section, these vulnerabilities are related to the web interface provided by the camera. The best practices when using the web interface are listed below:
- When a camera session is active, don’t use any other website
- Don’t click any link from an untrusted source that takes you back to the camera
- If possible, use a different browser than default when interacting with any camera
- Close the browser after every camera session
Keys, Secret & Certificate management
Secrets, keys, and certificates are key to IoT device security, as they secure authentication, communication between devices, and management solutions. Unmanaged certificates, self-signed certificates, low-complexity keys, high TTL tokens, and insecure storage are common issues attackers use to compromise devices. As organizations deploy a greater number of IoT devices, manual management becomes impractical. Automated management provides clear cost savings and greater value through continuous certificate visibility to enable rotation and provide avenues for efficient issue resolution and decision-making.