IoT Vulnerabilities: IP Cameras Most Insecure IoT device
Through technology, the world is more connected than ever before for better and for worse. In her article, “What are IoT Devices”, Nikita Duggal states, “IoT is an umbrella term that refers to the billions of physical objects or “things” connected to the Internet, all collecting and exchanging data with other devices and systems over the Internet.” IoT devices provide the means to be connected, collect data, analyze data, monitor, and much more. By the year 2030, there is expected to be 50 billion IoT devices used around the world. (Vailshery) Current areas of interest include home devices, IoT infrastructure, security and monitoring, transportation, manufacturing, agriculture, and communications. (Devasia)
This article focuses on the security implications and the research pertaining to IP or smart cameras. There is great concern with regards to the security of the IoT devices on the internet. Advisories have weaponized IoT devices by overwhelming services with distributed denial of service attack (DDoS) and causing them to crash. A DDoS is often a precursor and distraction for a larger cyber-attack. (Hussein) This article will begin by addressing concerning threats and vulnerabilities of IoT devices, security vulnerabilities of specific IP cameras made by Hikvision and Reolink. It will conclude by outlining potential solutions to create more secure and resilient IoT devices.
The Internet of Things (IoT) is a revolutionary technology that enables tasks that were once done manually to be automated through a series of sensors and software. The processing power has exponentially increased over the past decade. According to Moore’s Law, the number of transistors in a dense integrated circuit doubles every two years, which directly correlates with processing speed. As speed increases rapidly and cost continues to go down, it enables fast and efficient processing chips to be produced. (Moore’s Law) Due to the ability to produce cost effective and powerful circuits, it enables hardware such as Systems on a Chip (SoC). A SoC is an all-in-one component that contains the Random Access Memory (RAM), Central Processing Unit (CPU), and Graphic Processing Unit (GPU). This enables the creation of complex and small computer models that are efficient and powerful. Embedding a SoC into IoT devices guarantees fast processing speeds to better collect and analyze data, while being connected more than ever before.
Every day, there are new devices that are connecting to the internet, and it is estimated that by the year 2030, there will be ~50 billion IoT device connected online. (Vailshery) As more devices go online, the more data is generated. By 2025, the total volume will reach 79.4 Zettabytes (ZBs) or about 72.2 billion Terabytes of data. (convert) That is a lot of data, and that data generation can be used maliciously to attack key components of the modern internet to cause damage to web servers, DNS servers, firewalls, and applications. A recent instance of this occurred in 2020 where Amazon Web Services (AWS) experienced a Distributed Denial of Service (DDoS) attack. At the peak of the attack, it reached upwards of 2.3 terabytes per second, leaving services unreachable. (cioandleader)
IoT Threats
There are numerous threats to IoT devices that can impact the security and privacy of organizations and users. I will focus on 5 threats that I believe are most relevant in today’s threat landscape. As more devices connect online, the number of threats will increase, and the consequences of insecure IoT will be detrimental to organizations, users, and society. Continuous effort is needed to discover, patch, and mitigate vulnerabilities of IoT devices and software.
1. Botnets — As previously mentioned, DDoS attacks can cripple IT systems of even the largest organizations to date. The delivery of the DDoS attacks is most often through large Botnets. Malicious actors or cyber-crime groups install malware on devices which allows them to control them remotely from a command center. They can use the collective processing computer power of hundreds of thousands or even millions of IoT devices to launch enormous DDoS attacks. If successful, this can violate the confidentially, integrity, and availability of IT systems. (Lakhani) These compromised devices can lead to future incidents and provide means of espionage on individuals and organizations through voice and video recording.
2. Convergence OT and IoT — The use of IoT devices in operational technology (OT) is expanding quickly. Devices are used to collect a wide variety of data including temperature, particle counts, equipment, and location. This data is used to automate repetitive tasks like turning the lights on and off. In the past, OT systems and IT networks were air-gapped, meaning they stand alone and aren’t connected via internet. The convergence of OT and IoT devices allows these devices to be accessible from outside the corporate network and security. The new ability to connect leaves both the OT and IT networks vulnerable to IoT threats. This impedes on the ability to properly secure networks and devices and requires a more holistic approach to security. (Lakhani)
3. Ransomware — Ransomware is a specific type of malware that allows criminals to lock files and devices and hold them for ransom. The malware uses extremely strong encryption to remove access to computers, data, and files stored on the network. (Lakhani) The malware has become more sophisticated and can find and delete backups, making it harder to recover. Ransomware attacks have increased an astonishing 485% from 2019 to 2020. (James) The use of IoT devices and the lack of implemented security with them provides an easy access point into networks and a means to carry out cyber-attacks such as ransomware.
4. AI-based Attacks — Artificial Intelligence or AI-based attacks allow threat actors to create sophisticated social engineering attacks by manipulating human emotions. The most common delivery method is phishing emails. (Lakhani) The use of AI has increased as its capabilities have become more human-like. AI-based tools can mimic normal user traffic. AI systems can perform repetitive tasks and are easily scalable. Insecure IoT devices are means by which an attack can be introduced into a network and are easily dynamic due to AI capabilities.
5. IoT Device Detection and Visibility — IoT devices can come in all shapes, sizes, and capabilities. It is difficult to properly secure a network if not all the known devices are identified. A major difficulty is that IoT devices are not readily detected by network security. (Lakhani) It is impossible to evaluate what threats pertain to those devices if those devices are unidentifiable. The lack of device visibility and detection of IoT devices allows rogue devices to be exploited and be a precursor to further security incidents. In network security, it is vital that devices be monitored and continually updated with necessary patches and updates.
IP Cameras Vulnerabilities
Internet Protocol Camera or IP camera for short, is designed to transmit and receive data over a local network or the Internet. An internet-enabled camera provides the ability to access the live feed from anywhere with a connection to the Internet. An IP camera is a IoT device that can be easily exploited just as other IoT devices. Below, I will focus on the common vulnerabilities of IP cameras and go into further detail about a specific types of IP cameras made by Reolink and Hikvision. (Honovich)
Common vulnerabilities
1. Man-In-The-Middle Attacks — These types of attacks present a significant privacy and security concern. Man-in-the-middle (MitM) attacks are highly effective and easy to perform. MitM enables the attacker to steal information and disrupt access to services on the network. (Doughty) A recent study in 2019, Vulnerability Analysis of IP Cameras Using ARP Poising, illustrates how MitM attacks covertly intercept traffic from a source and forward it to a new destination. This is done through the Address Resolution Protocol (ARP) poisoning. Devices store information such as MAC address and IP addresses in their ARP tables. The attacks can poison these cache tables by sending ARP Reply and forwarding the traffic to themselves. (Doughty) The researchers used a variety of tools to successfully attack the Reolink RLC-410WS IP Camera. The Reolink camera is compliant with the ONVIF (Open Network Video Interface Forum) which means all that follow this standard could be vulnerable. The ONVIF allows for a live video feed coming from the camera through an application such as VLC. Nearly 11,443 products from well-known IP camera manufactures such as Panasonic, Hikvision Digital Technology, and Sony Corporation are susceptible. (Doughty)
2. DDoS Attack — The study further illustrates a threat scenario and how a threat actor can redirect IP camera traffic as a DDoS attack to slow and stop services as a precursor for a burglary. The attack gains insight into the layout of the building, valuables inside, and the devices on the network all from exploiting an IP camera. Later, the attack moved laterally through the network by brute forcing passwords and reading plaintext internet traffic within the network. (Doughty) This is an illustration of how it can translate to a real-world impacting event on society.
3. Remote Code Execution (RCE) — RCE vulnerability allows an attacker to gain full control of a victim’s infected machine. If exploited, the attacker can execute system commands such as write, modify, delete, and read files, and connect to databases. (Cyware) The RCE is often the entry point into a network, and the attacker can move throughout the network and escalate their privileges in order to complete their mission.
Due to government backing, Hikvision has become the most widely used video surveillance manufacturer in the world. (Honovich) The company has been scrutinized due to insecurity of its products. In 2021, the security researcher,Watchful_IP found a zero-click vulnerability. If exploited, this provides root access and full control of the device. The exploit simply needs access to a http(s) server port such as 80/443. No username or password are needed and will be undetectable by logs on the camera itself. (Honovich) Since the vulnerability has been discovered, Hikvision has released security patches, but the bug has been around since 2016 and impacts Hikvision OEM partners as well as over 100M devices globally. (Honovich)
Potential Solutions
In the paragraphs above, threats and vulnerabilities of IoT devices have been explained and illustrated by research and recent cyber incidents. Now, two possible solutions will be presented to ensure more secure IoT devices and how to mitigate possible impacts if an incident occurs. It is important that security is made a priority throughout the entire development process of producing an IoT devices. Security cannot be an afterthought but rather a key component and feature.
Zero Trust — Zero Trust (ZTA) Architecture security model relies on an organization’s Identity and Access Management (IAM) policies. (Hewitt). Implementing ZTA into an organization enhances security if implemented correctly and provides detailed information about devices to maintain a continuous inventory of devices and connections. ZTA uses multi-factor
authentication (MFA) to verify a device’s identity. Furthermore, Zero Trust Network Architecture (ZTNA) “focuses on who and what can connect to applications located on a network”. (Hewitt) By design, this enhances the security of the network by placing the applications behind a gate called a Proxy Point. The Proxy Point creates an encrypted tunnel that transmits the data to provide secure connections to the network. The proper use of Zero Trust greatly enhances the security of the network architecture, devices, and services of a network.
Secure-by-Design — Secure-by-design as it applies to IoT, is the “inclusion of security design principles, technology, and governance at every stage of the IoT journey”(Schmid). IoT devices bridge the gap between the digital and the real world by collecting and processing data to complete repetitive tasks. IoT devices are often the weakest link and can be easily exploited to gain access to entire networks. It is vital that security is a primary focus throughout the entire development process. Here are 3 keys to a secure-by-design IoT architecture: (Thales)
1. Security-by-design approach starts at the beginning of IoT projects, which includes security risk analysis.
2. Trusted device IDs and credentials are embedded during manufacturing to defend against device cloning, data tampering, theft, and misuse.
3. Lock IDs and credentials are stored in secure hardware containers to protect sensitive IoT applications such as healthcare and smart grids.
The implementation of both Zero Trust and Secure-by-Design can ensure that IoT devices and the networks are fundamentally more secure. These two potential solutions will not fix all the insecurities of IoT devices, but they willhelp create more secure and resilient IoT devices moving forward.
Conclusion
The adoption and overall use of IoT devices is increasing at an astonishing rate. By the year 2030, there is estimated to be 50 billion IoT devices. (Vailshery) IoT connect the digital world to the real world by providing the capability to be connected, collect, and analyze data, and provide superior monitoring capabilities. The current IoT devices and security standards are not sufficient to combat current and future threats. As consumers of IoT devices, we need to become more educated and be able to understand the importance of security within the products that we purchase. Consumers’ expectations of security need to change as the world needs conscientious individuals to protect privacy and security in the current and future digital age.
Thanks for reading!
Cheers
Sources
Adams, R. Dallon. “IOT Device Attacks Double in the First Half of 2021, and Remote Work May Shoulder Some of the Blame.” TechRepublic, TechRepublic, 13 Sept. 2021, https://www.techrepublic.com/article/iot-device-attacks-double-in-the-first-half-of-2021-and-remote-work-may-shoulder-some-of-the-blame/.
Cipher, Cipher. “The Core Phases of Incident Response & Remediation.” Cipher, Cipher, 28 May 2020, https://cipher.com/blog/the-core-phases-of-incident-response-remediation/.
Cyware Hacker News. “Remote Code Execution Vulnerability: What Is It and How to Stay Protected from It?: Cyware Hacker News.” Cyware Labs, Cyware, 22 Feb. 2020, https://cyware.com/news/remote-code-execution-vulnerability-what-is-it-and-how-to-stay-protected-from-it-12a1b250.
Devasia, Anish. “The Basics of IOT Infrastructure — Technical Articles.” Control Automation, 27 June 2021, https://control.com/technical-articles/the-basics-of-iot-infrastructure/.
Doughty, Thomas, et al. “Vulnerability Analysis of IP Cameras Using ARP Poisoning.” Aircconline, 1, Nauman Israr2 and Usman Adeel, 2019, https://aircconline.com/csit/papers/vol9/csit90712.pdf.
Duggal, Nikita. “What Are IOT Devices : Definition, Types, and 5 Most Popular Ones for 2021.” Simplilearn.com, Simplilearn, 12 Apr. 2021, https://www.simplilearn.com/iot-devices-article.
Hewitt, Kasey. “What Is Zero Trust Architecture? 9 Steps to Implementation.” Security Ratings & Cybersecurity Risk Management, Security Score Board, 14 July 2021, https://securityscorecard.com/blog/what-is-zero-trust-architecture.
Honovich, John. “Hikvision Has ‘Highest Level of Critical Vulnerability,” Impacting 100+ Million Devices.” IPVM, 20 Sept. 2021, https://ipvm.com/reports/hikvision-36260.
Hewitt, Kasey. “What Is Zero Trust Architecture? 9 Steps to Implementation.” Security Ratings & Cybersecurity Risk Management, Security Score Board, 14 July 2021, https://securityscorecard.com/blog/what-is-zero-trust-architecture.
Hussein, AbdelRahman H. “Internet of Things (IOT): Research Challenges and Future …” Thesai.org, (IJACSA) International Journal of Advanced Computer Science and Applications, 2019, https://thesai.org/Downloads/Volume10No6/Paper_11-Internet_of_Things_IOT_Research_Challenges.pdf.
James Coker. “Ransomware Attacks Grew by 485% in 2020.” Infosecurity Magazine, 6 Apr. 2021, https://infosecurity-magazine.com/news/ransomware-attacks-grow-2020/.
Lakhani, Aamir. “Examining Top IOT Security Threats and Attack Vectors: Fortinet.” Fortinet Blog, 7 June 2021, https://www.fortinet.com/blog/industry-trends/examining-top-iot-security-threats-and-attack-vectors.
Millman, Rene. “IoT Devices Are More Vulnerable than Ever.” IT PRO, IT Pro, 10 Sept. 2021, https://www.itpro.com/network-internet/internet-of-things-iot/360850/iot-devices-are-more-vulnerable-than-ever.
PrivSec. “Research Reveals the Most Vulnerable IOT Devices.” GRC World Forums, GRC World Forums , 12 June 2019, https://www.grcworldforums.com/security-threats/research-reveals-the-most-vulnerable-iot-devices/86.article.
Schmid Robert Schmid Chief Futurist | Deloitte Consulting LLP roschmid@deloitte.com , Robert, et al. “IOT Platform Security by Design.” Deloitte United States, Deloitte , 2 Sept. 2021, https://www2.deloitte.com/us/en/pages/operations/articles/iot-platform-security.html.
Thales Group. “How to Make Internet of Things Solutions Secure by Design.” Thales Group, Thales Group, 2020, https://www.thalesgroup.com/en/markets/digital-identity-and-security/iot/iot-security/key-principles.
Vailshery, Lionel Sujay. “Number of Connected Devices Worldwide 2030.” Statista, Statista, 22 Jan. 2021, https://www.statista.com/statistics/802690/worldwide-connected-devices-by-access-technology/.
Weisman, Steve. “What Is a Ddos Attack?” Norton, Norton, 23 June 2020, https://us.norton.com/internetsecurity-emerging-threats-what-is-a-ddos-attack-30sectech-by-norton.html.
