Bookmark and Share

Camera-Inclusive Systems: Don't Forget To Employ Sufficient Security Stratagems

Adding one or several image sensors to a system, along with the necessary "muscle" to process the captured still and video frames, can notably enhance that system's capabilities and consequent appeal to potential customers. But then again, as editor-in-chief of the Embedded Vision Alliance, you'd expect me to harbor such a belief, right? Keep in mind, though, that along with containing cameras, many (most? all?) of these systems offer network connectivity; wired, Wi-Fi, cellular, etc. If unintended parties gain access to the system's camera(s) over the network, the results can be disastrous from privacy and other perspectives.

Unfortunately, several recent examples of such a scenario (or at least its tangible potential) have emerged. Remember Samsung's Smart TVs, which first appeared at the January 2012 Consumer Electronics Show and which I've written about in several subsequent past news writeups? In late March 2012, I mentioned that the Terms of Service seemed to grant third parties access to the TVs' cameras, microphones and networking transceivers. Several weeks later, Samsung attempted to assuage owners' privacy concerns by noting that explicit owner disable of these subsystems was possible.

However, at the time I wrote:

Does Samsung's clarification put the issue to rest? I doubt it. After all, the camera and microphone on/off "switches" are software-controlled, not fundamentally hardware-triggered in nature, so there's nothing precluding some external entity from turning them on even if the user-viewable settings screen suggests otherwise.

And in fact, via a hack, such a scenario has seemingly indeed come to pass. From the Ars Technica coverage (Slashdot also highlighted the topic):

If you use a Samsung "Smart TV" that's connected to the Internet, there's a chance Luigi Auriemma can hack into the device and access files stored on connected USB drives. The researcher with Malta-based security firm ReVuln says he has uncovered a vulnerability in most Samsung models that makes it easy for him to locate their IP address on the Internet. From there, he can remotely access the device and exercise the same control someone in the same room would have. That includes gaining root access and installing malicious software. The attack exploits bugs in features that allow end users to install Skype, Pandora, and other types of apps.

The TVs can be controlled using smartphone and tablet apps and in some cases by voice commands. "At this point the attacker has complete control over the device," he wrote in an e-mail to Ars. "So we are talking about applying custom firmwares, spying on the victim if camera and microphone are available, stealing any credential and account stored... on the device, using his own certificates when accessing https websites, and tracking any activity of the victim (movies, photos, music, and websites seen) and so on. You become the TV."

Want another disturbing example? As recently reported at ExtremeTech, Gizmodo, Slashdot, and The Verge, eighteen brands of professionally surveillance cameras, representing an estimated 58,000 devices, are susceptible to unintended remote monitoring and control. From ExtremeTech's writeup:

Security camera digital video recorders from Atlantis, BCS, Bolide, Cosmos, Defender, DSP Cop, EyeForce, Greatek, Hi-View, J2000, KGuard, Lorex, Protectron, Soyo, SVAT, Swann, URMET, and Zmodo have all shipped with firmware that allows unauthenticated access to the web controls. Port 9000 is open on these vulnerable devices, and it allows any third party to access the stream, view the footage, delete anything, and even turn off the camera. Even worse, these cameras use Universal Plug and Play (UPnP), so finding and accessing them will be even easier.

Speaking of UPnP, it represents the third piece of bad news that I unfortunately need to pass along to you today. And given the networking protocol's broad consumer adoption, the potential impact is even more substantial. Here's Ars Technica's take on the subject, which hit cyberspace yesterday:

Security experts are advising that a networking feature known as Universal Plug and Play be disabled on routers, printers, and cameras, after finding it makes tens of millions of Internet-connected devices vulnerable to serious attack. UPnP, as the feature is often abbreviated, is designed to make it easy for computers to connect to Internet gear by providing code that helps devices automatically discover each other over a local network. That often eliminates the hassle of figuring out how to configure devices the first time they're connected.

But UPnP can also make life easier for attackers half a world away who want to compromise a home computer or breach a business network, according to a white paper published Tuesday by researchers from security firm Rapid7. Over a five-and-a-half-month period last year, the researchers scanned every routable IPv4 address about once a week. They identified 81 million unique addresses that responded to standard UPnP discovery requests, even though the standard isn't supposed to communicate with devices that are outside a local network. Further scans revealed 17 million addresses exposed UPnP services built on the open standard known as SOAP, short for simple object access protocol. By broadcasting the service to the Internet at large, the devices can make it possible for attackers to bypass firewall protections.