By exploiting webcams and other IoT devices, cybercriminals can spy on private and professional conversations, potentially giving them access to sensitive information, BitSight said.
Imagine a hacker hacking into an Internet-facing webcam set up in your organization and spying on a meeting, production process or internal training session. Then think about what that person can do with the information they have received. That’s exactly the situation posed by cyber security company BitSight.
In a new report on unsecured IoT devices, BitSight found that one in 12 organizations with Internet-facing webcams or similar devices failed to properly secure them, leaving them vulnerable to video or audio interference. Specifically, 3% of organizations tracked by BitSight have at least one Internet-facing video or audio device. Among those, 9% had at least one device with exposed video or audio feeds, giving someone the ability to view live feeds or listen to conversations.
Which organizations are most vulnerable to these hacks?
These organizations considered include entertainment, education, technology and government. In this case, the educational environment was at the highest risk, where one in four users of Internet-facing web cameras and similar devices are at risk of video or audio vulnerabilities.
In addition, Fortune 1000 companies received the greatest exposure, including a Fortune 50 technology subsidiary, a Fortune 100 entertainment company, a Fortune 50 telecommunications company, a Fortune 1000 hospitality company and a Fortune manufacturing company. 50.
What devices were analyzed in this cyber risk study?
Most devices analyzed by BitSight use the Real-Time Streaming Protocol to communicate over the Internet, although some use the HTTP and HTTPS protocols. With RTSP, users can send video and audio content and use commands to record, play and pause the feed.
While most of the devices examined in the report were webcams, the analysis also included network video recorders, smart doorbells and smart vacuums. Some devices are actually set up for security purposes.
Why devices are vulnerable to hacking
The internet-facing devices analyzed were not behind a firewall or VPN, leaving them open to fingerprinting and threats. Some exposed devices were improperly configured, and others lacked any type of user-set password. Some devices have been plagued by security flaws, and many have been hit by a specific access control vulnerability called an insecure direct object reference vulnerability.
IDOR’s vulnerability is now as worrisome as it’s ever been, according to BitSight. In 2022, BitSight discovered several critical vulnerabilities in the popular GPS car tracker. Labeled as CVE-2022-34150, this flaw could allow an attacker to intercept information from any device ID other than the user account signed into the device.
At a minimum, the video or audio feed should be protected by access control measures; however, many of them are not protected in this way, allowing attackers to view video feeds and eavesdrop on conversations. A clever hacker can also change the exposed feed to spread false information, BitSight explains.
What are the potential security implications of such hacks?
Vulnerable webcams and other IoT devices open the door to several types of threats. An attacker can watch private meetings and other conversations, allowing them to collect personal data or compromising information through video or audio feeds. The real locations of employees and other people may be disclosed. A hacker can also access business-related activities and chats, allowing him to pick up sensitive information not only of the company but of any third parties.
The disclosed information may threaten physical security. Some of the webcams analyzed by BitSight monitor secure doors and rooms, which may provide criminals with the information needed to breach security. In addition, the cyber security of the organization as a whole can be compromised. Access to vulnerable audio and video devices gives attackers more data to compromise your internal systems and networks.
Some of the areas with vulnerable web cameras include manufacturing facilities, laboratories, conference rooms, school buildings and hotel lobbies.
How to reduce the risk of exposed webcams and IoT devices
To help your organization reduce the risk of Internet-facing webcams and other IoT devices, BitSight offers a few tips.
First, identify any video or audio devices used throughout your organization and business partners. Then analyze the security of these devices.
Place any vulnerable devices behind a firewall or VPN.
Set up access control measures to protect any devices that lack proper authentication.
For devices with a software vulnerability, a developer needs to log in to provide a patch or secure the device. If the dealer can’t or won’t do this, your only option may be to switch to a different device or product.
“This study shows that even everyday technology, like webcams, can leave organizations extremely vulnerable if exposed,” BitSight Chief Risk Officer Derek Vadala said in a statement. “Understanding how these devices can increase an organization’s attack surface and taking steps to use them in a way that limits potential threats is critical.”
Read the following: Advanced industrial IoT security solutions (TechRepublic)