Tom Tuunainen
All devices that are connected to the internet are in danger of being accessed by unknown and potentially malicious third parties. In the case of poorly protected internet-facing cameras, threat actors can in the worst case access the live feed of the camera, record sensitive data, and also use the camera as an access point to a network which the camera might be attached to.
Even though default camera security settings have improved over the years, some brands still only offer default passwords or even no authentication at all, meaning that anyone can potentially get access to the camera and its information feed (Lapienytè 2022).
New research from CyberNews (Lapienytè 2022) found over 458,000 devices that were protected only by default credentials in the United States alone, alongside almost 250,000 in the United Kingdom, with countries such as China, Brazil, India, the Korean Republic and Mexico also appearing on the list. At least 21,000 cameras worldwide lack any authentication whatsoever, which raises questions about invasions of privacy, and the impact IP cameras might have on the global increase in cybercrime and cyberwarfare. (Lapienytè 2022.)
Things are, however, moving in the right direction. In November 2022, the United Kingdom banned surveillance equipment from “sensitive” government sites (BBC News 2022), while the United States Federal Communications Commission adopted rules that prevent communications equipment deemed to pose an unacceptable risk to national security from being imported or sold in the country (FCC 2022).
In order to secure internet-facing cameras better, a strong password should be enforced and set up when the camera is taken into use. A check to ensure that the camera contains the latest firmware is also highly recommendable – this check should also be done periodically. It is also commendable to install the camera behind a firewall or connect it via a Virtual Private Network (VPN), so that it has not a straight connection to the internet – and one should not place one´s camera in a place where it does not belong. Private places like bedrooms or work rooms with sensitive documents laying around are no locations for internet-facing cameras. Once you have bought your IP camera, please set it up with security in mind!
References
BBC News. 2022. UK government bans new Chinese security cameras. Available at: https://www.bbc.com/news/uk-politics-63749696. Accessed 19 December 2022.
Lapienytė, J. 2022. 3.5m IP cameras exposed, with US in the lead. CyberNews. Available at: https://cybernews.com/security/millions-ip-cameras-exposed/. Accessed 16 December 2022.
FCC. 2022. FCC Bans Authorizations for Devices That Pose National Security Threat. Available at: https://www.fcc.gov/document/fcc-bans-authorizations-devices-pose-national-security-threat. Accessed 19 December 2022.
Tom Tuunainen
R&D Developer
Centria University of Applied Sciences
Tel. +358 40 681 7207