By exploiting webcams and other IoT devices, hackers can monitor private and professional conversations, potentially giving them access to sensitive information, BitSight said.
Imagine a cybercriminal hacking into the internet-facing webcams set up in your organization and monitoring meetings, manufacturing processes, or internal training sessions. Then imagine what that person could do with the information they got. This is exactly the scenario proposed by cyber risk firm BitSight.
For a new report on unsecured IoT devices, BitSight found that one in 12 organizations with internet-facing webcams or similar devices failed to secure them properly, leaving them vulnerable to video or audio compromise. Specifically, 3 percent of organizations tracked by BitSight have at least one internet-facing video or audio device. Of these, 9 percent had at least one device with an exposed video or audio feed, enabling someone to view those feeds directly or eavesdrop on conversations.
jump to:
Which organizations are most vulnerable to this type of hack?
Organizations analyzed included the hospitality, education, technology and government sectors. Of these, the education sector is most at risk, with one in four using internet-facing webcams and similar devices where the video or audio is vulnerable.
Additionally, Fortune 1000 companies are most affected, including Fortune 50 technology subsidiaries, Fortune 100 entertainment companies, Fortune 50 telecommunications companies, Fortune 1000 hotel companies, and Fortune 50 manufacturing companies.
Which devices were analyzed in this cyber risk survey?
Most of the devices analyzed by BitSight communicate over the Internet using real-time streaming protocols, but some use HTTP and HTTPS protocols. Using RTSP, users can send video and audio content and run commands to record, play, and pause feeds.
While many of the devices examined in the report are webcams, the analysis also includes network video recorders, smart doorbells and smart vacuum cleaners. Some devices are actually set up for security purposes.
Why devices are at risk of being hacked
The Internet-facing devices analyzed are not behind firewalls or VPNs and are therefore vulnerable to fingerprinting and threats. Some of the exposed devices were misconfigured, and some of them lacked any kind of password set by the user. Other devices are also vulnerable, many of which are vulnerable to a specific access control vulnerability known as an insecure direct object reference vulnerability.
According to BitSight, the IDOR breach has become more of a concern recently. In 2022, BitSight discovered several serious such vulnerabilities in a popular car GPS tracker. The vulnerability, tracked as CVE-2022-34150, could allow hackers to obtain information from any device ID, regardless of the user account logged into the device.
At a minimum, video or audio sources should be protected by access control measures; however, many of them are not protected in this way, allowing attackers to view video feeds and monitor conversations. Astute hackers can even alter exposed feeds to spread disinformation, BitSight explained.
What are the possible security implications of such a hack?
Vulnerable webcams and other IoT devices open the door to many types of threats. Attackers could view private meetings and other conversations, allowing them to collect personal data or exfiltrate information via video or audio feeds. The physical location of employees and others may be exposed. Hackers can also gain access to business-related activities and conversations, allowing them to obtain sensitive information not only of the company, but of any third parties.
Exposed information may threaten personal safety. Some of the webcams analyzed by BitSight control security doors and rooms, potentially giving criminals the information they need to breach security. Additionally, the organization’s overall cybersecurity may be at risk. Access to vulnerable audio and video devices can provide attackers with more data to compromise your internal systems and network.
Some areas where webcams are vulnerable include manufacturing facilities, laboratories, conference rooms, school buildings and hotel lobbies.
How to Mitigate the Risks of Exposed Webcams and IoT Devices
To help your organization reduce the risks from internet-facing webcams and other IoT devices, BitSight offers some tips.
First, identify any video or audio equipment deployed in your organization and business partners. Then analyze the security of these devices.
Put any vulnerable devices behind a firewall or VPN.
Set up access controls to protect any device that lacks proper authentication.
For devices with software vulnerabilities, developers need to step in to provide patches or otherwise secure the device. If the provider is unable or unwilling to do so, your only option may be to switch to a different device or brand.
“This research shows that even everyday technology such as webcams can leave organizations highly vulnerable if exposed,” said Derek Vadala, BitSight’s chief risk officer, in a release. “Understanding how these devices increase an organization’s attack surfaces and taking steps to deploy them in a way that limits potential threats is critical.”
Read next: Top IIoT Security Solutions (Tech Republic)