News flash: On December 16th, 2024, the FBI issued an alert about Hiatus Remote Access Trojan (RAT) malware, which has been targeting Chinese-branded web cameras and digital video recorders (DVRs). HiatusRAT actors conducted a scanning campaign targeting Internet of Things (IoT) devices across the globe, including the US  and the UK, in in March 2024, beginning with outdated network edge devices.

To mitigate the risks of compromise, the FBI included steps for addressing specific vulnerabilities as well as general recommendations, such as: 

• Implement a strong password policy
• Enforce rotation of network system and account passwords 
• Don’t use default passwords/or weak passwords for these devices 
• Don’t re-use passwords for multiple accounts 
• Patch and update firmware, operating systems, and software as soon as manufacturer updates are ready
• Consider removing unsupported devices from your network

Scott Gee, AHA deputy national advisor for cybersecurity and risk, noted that, “This recent campaign appears to have targeted vulnerable Chinese-branded webcams and DVRs for specific, published vulnerabilities and default passwords set by the vendor…The critical takeaway from this bulletin is that patch management programs must cover not only traditional computer systems, but also Internet of Things devices on your network.” 

Best practices are a must for passwords

Today’s reality confirms the necessity of the FBI’s recommendations:

Don’t leave defaults

More than 80% of confirmed breaches are related to reused, stolen, or weak passwords.

The longer, the stronger

It takes 62 trillion times longer to crack a complex 12-character password than a 6-character password.

Say goodbye to 12345

20% of brute force attacks, where hackers randomly guess passwords, are successful.

When it comes to unpatched and outdated devices – don’t wait!

Of course, any device that has reached end of service (EOS) or end of life (EOL) should be replaced. Of course, the firmware should always be updated right away. However, these critical cyber hygiene steps often don’t happen for a host of reasons, including the proliferation of connected devices and the difficulty of tracking what needs to be done for each one. Despite the challenges, it’s worthwhile to invest the time and resources in replacing and updating devices as necessary. According to Sophos’ The State of Ransomware 2024, a third of attacks begin with the exploitation of unpatched vulnerabilities.

Mastering mitigation

These stats are sobering, but there are steps you can take to protect your devices. Following the recommendations above and industry best practices gives you a strong defense against many major camera vulnerabilities. 

To learn more, check out “Camera Vulnerability: Tutorial, Sample CVEs, and Best Practices,” a practical guide to camera vulnerability mitigations and best practices for reducing exposure to IP camera-related threats.