Security of IP Cameras: See and Be Seen!
Cameras controlled over the Internet promise security and are intended to allow home and apartment owners to keep a watchful eye on their own four walls when they are away. But the increasingly popular surveillance devices are often unsecured in their own right, enabling intruders from the Internet to remotely spy on other people's living spaces and to launch major online attacks.
Lots of surveillance at a low price
Surveillance cameras transmitting signals of images, videos and sound via an online connection to PCs and mobile devices are currently a sales hit. It's no wonder, as the devices are becoming ever more economical and the selection is vast. Whereas up until recently, buyers of real-time surveillance systems had to shell out several hundred Euros, IP camera systems are now available for well under 100 Euros. Installing and integrating them into a WLAN, and setting up a corresponding Cloud account are no longer a major obstacle even for computer novices, most even offer convenient set-up via apps. And the range of functions offered by the devices is quite impressive: Night vision per infrared, 360 degree view through motor control by means of an app, as well as motion and audio sensors, which sound an alarm over the Internet, are all available even at low price points.
Increasing burglary rates
It is a fact that cameras are used also as baby phones or for pet care. The most frequent reason to buy this surveillance equipment, however, is to protect a home and property, garage or vacation home during absence. The need for more security is no coincidence: The latest 2015 crime statistics put out by the police in Germany indicate an increase in the number of incidents involving burglary by just under 10 percent compared to the previous year. If burglars assume that owners are not home, the number of cases even increases to eleven percent. Thus it is no surprise that owners and renters are turning to increasingly more economical IP cameras.
When security cameras attack online services
But the security of camera surveillance is deceptive and can even morph into a security risk in its own right. It may be true that manufacturers offer lots of security features for their surveillance cameras. That the transmission and storage of data generated by cameras also need to be secure, however, is something they mostly haven't taken into account. In some cases, there are insufficient, if any, safeguards for device access via corresponding online services. Thus, they open up a floodgate into the private sphere of users, enabling unauthorized access via all devices, including PCs, smartphones and tablets, connected through WiFi. For example, by transmitting or saving the password in plain text through security gaps over a previously well-encrypted home network.
In the worst-case scenario, the cameras endanger not only the security of the home WiFi network but are also exploited by cybercriminals as part of a bot net for online extortion and attacks on Internet services – naturally without the knowledge of their users. One such Web attack occurred on October 21 last year: Through 100,000 poorly-protected devices with Internet connectivity, including many IP cameras, a malware program by the name of "Mirai", specialized in IoT devices, was automatically integrated into a botnet around the globe. With the computing power of this "camera network", the attackers launched massive Internet assaults. Major Internet services, including Twitter, PayPal, Amazon, Netflix and Spotify were intended to be blasted off the Internet and were said to have even been subjected to extortion prior to the attack.
Security seekers on a silver platter
A good example of how the desire for security can be completely turned on its head through security defects of IP cameras is evidenced by Insecam and Shodan.
The "Insecam" website shows IP cameras connected to the Internet by their owners. The devices and Cloud platforms used, however, either offer no password protection or the users have not activated it. Thus, in addition to surveillance cameras in businesses and shops, the site also reveals many devices that extend right into the privacy of their users. Children's rooms, home entrances and garages, as well as views of gardens protected by high security fences, everything can be found here. Delicate detail: Next to the real-time streams of the cameras, Insecam also shows their locations on Google Maps. Thus, for burglars, it is child's play to not only spy on but also to locate future victims.
The online service "Shodan" even goes a step further. Since the beginning of the year, the search engine for IoT devices has been equipped with camera search functions. They also list cameras that are on the Internet without password protection. In this case, however, attackers are not only able to obtain feeds from other people's cameras. Via unsecured Cloud user menus, the devices can also be controlled remotely. If they are equipped with a microphone, attackers from the Internet are even able to eavesdrop on their victims.
The test seal for smart home security
The fact is that IP cameras can assist in safeguarding real estate properties and other objects. This does presuppose, however, that they do not become a security risk of their own, due to exploits in the area of data acquisition, exchange and storage. The use of Cloud services when it comes to the use of IP cameras, as well as applications and apps for smartphones and tablets, ought to also withstand a security check, in order to keep attackers at bay.
That is why AV-TEST evaluates IP cameras and other IoT devices in comprehensive security tests concerning encrypted communication, safe authentication and security against external attacks. You can recognize secure IP cameras and other IoT devices by the security certificates of the AV-TEST Institute.
Significant differences in the security test
The following test table reveals which current IP cameras received a favorable rating in the security check by AV-TEST. You can find regular tests on the security of IoT and smart home products on the AV-TEST website, as well as on our IoT blog.
Update: Manufacturers react
Several manufacturers have reacted to the test and critique by AV-TEST and closed the security vulnerabilities in their products. This also includes the manufacturer Smartfrog, who was the first to obtain certification for an IP camera of the same name.