Years After Regulatory Crackdown, Some Security Cameras Still Open To Hackers
A Maryland-based cybersecurity start-up called ReFirm said it discovered the flaws in Internet-connected products sold in the United States by manufacturers TRENDnet, Belkin and Dahua.
The researchers said they were able exploit weaknesses in the gear to access video feeds freely available on the Internet from people’s security cameras. Their report shows images of what appear to be live video feeds of a playground, a department store, a solar farm, an industrial control system and what appears to be the entrance to a person’s home.
The cybersecurity firm alleged that the cameras made by Dahua, a Chinese manufacturer, contain what appears to be a hard-coded “back door” to allow outsiders to gain access to the feeds.
Other vulnerabilities were found in Belkin wireless routers and cameras made by TRENDnet, which in 2013 settled FTC allegations that it did not adequately protect consumer privacy. The settlement contained no admission of wrongdoing.
ReFirm said it shared its findings with the companies before releasing its report publicly. Dahua did not respond to requests for comment. TRENDnet said in a statement that the company “takes consumer privacy and security very seriously.”
TRENDnet’s Internet-connected cameras are all “tested by both an internal audit team, and a leading 3rd party security group,” the company said in a statement.
“TRENDnet is currently reviewing the report to validate the vulnerability claims; we will release a patch soon for any confirmed vulnerabilities.”
Belkin said it has taken action to address the weaknesses.
“We provided firmware this past June, shortly after we were made aware of the findings,” the company said in a statement. “We also provided additional firmware updates to all the vulnerabilities mentioned in the report on Oct. 24. All three vulnerabilities have been addressed and we recommend that Belkin customers update their routers to this latest firmware.”
Cybersecurity professionals have warned for years that the “Internet of things” — everyday objects that can be controlled through the Internet — presents potential safety and privacy concerns for consumers.
“This is a problem that is often endemic to the ‘Internet of things,’ ” said Justin Brookman, director of consumer privacy and technology policy at Consumers Union, an advocacy group. “Companies connect things to the Internet, and it isn’t until later that they stop to think, ‘How could this go badly?’ ”
There have been no reports that the cameras have been exploited by malicious hackers. In its report, ReFirm documents how it was able to gain access to a security camera made by TRENDnet by searching for weaknesses in its firmware, which is software embedded in a piece of hardware. ReFirm researchers said they found a vulnerability that lets anyone gain access to a TRENDnet camera by typing 12 specified characters into a Web browser, followed by the Internet address of the video camera, which can be found relatively easily online.
“I wouldn’t even consider this a hack,” ReFirm founder Terry Dunlap said. “You’re not even doing anything malicious. . . . it’s just sloppy security.”
Dunlap said that once in, he could easily have frozen the camera feed, replaced it with false footage or shut down the device.
In a video shared with The Washington Post, Dunlap and a team of researchers can be seen demonstrating the hack on what they say is a TRENDNet camera they purchased. In it, Dunlap aims what is described as a TRENDnet TV-IP344PI security camera at two other people and displays the video feed on a nearby television. A click of a button on Dunlap’s computer freezes the camera’s display screen — showing the two people standing still — even as they start dancing around in front of the camera. Dunlap then replaces the feed with a video of 1980s pop singer Rick Astley.
TRENDnet drew the attention of regulators after a 2012 hack that put hundreds of feeds from the company’s home security cameras and baby monitors online. The agency described the resulting settlement as its first against a marketer of an everyday product that can connect to the Internet.
The settlement committed TRENDnet to obtaining third-party assessments on its security programs every two years for the next 20 years. The settlement also requires TRENDnet to notify consumers about security issues, and established possible civil penalties of up to $16,000 for any future violations of the settlement terms.
There are also concerns that Chinese manufacturers could be embedding “back doors” into products at the behest of the Chinese government. The Wall Street Journal reported Monday that a Chinese company called Hangzhou Hikvision Digital Technology, owned in part by the Chinese government, had made cameras that were used on U.S. military installations in Afghanistan. Those cameras were removed from a list of approved cameras, and the Department of Homeland Security found a back door, giving the camera its worst security rating.
In an interview with the Wall Street Journal, a Hikvision executive said the company does not install back doors in its cameras and cannot access customers’ video feeds.
Dahua, the focus of ReFirm’s report, is a close competitor to Hikvision in China. In its report, ReFirm said it thought the back door was added deliberately based on the way the code was written and the fact that it was programmed into multiple other Dahua products.
“This vulnerability is not the result of an accidental logic error or poor programming practice, but rather an intentional backdoor placed into the product by the vendor,” the report claims.