Why You Shouldn't Walk Around Naked in Front of Your Webcam

The Internet of Things is a jungle of unregulated devices, many of them without any security beyond maybe a password.

Picture from a baby monitor as viewed on a smartphone.
Screenshot

Home security cameras can turn out to be anything but secure, if they’re controllable over the internet.

An unsettling story making the rounds a year ago told of a California couple who outfitted their kid’s room with a wireless Foscam baby monitor with a webcam that could be remotely operated by their phones. The monitor was hijacked by a hacker, who apparently spent long hours creepily watching their child – and talking to it through the built-in speaker. The boy had complained about somebody strange talking to him but the parents hadn’t known what to make of it.

In Israel, wireless internet cameras are all the rage. Prices start at less than 100 shekels ($25), if bought from China over internet. Better models cost around 700 shekels and counting. Another option is the Bezeq phone company, which doesn’t sell but leases its model, called BHome, for 24.90 shekels a month. The company says it’s leased tens of thousands of them.

These wireless security cameras generally come with cellular accessory applications enabling the owner to watch what’s happening at home over a smartphone and operate the camera. Some cameras can also record.

In Israel, acquisition of these devices tends to peak following terror attacks and other security-related events. But there are risks involved that not everybody realizes.

Once costly, security technology has become more affordable. That is good, generally speaking. Thieves can be caught, for instance. But webcams can become a threat to security.

In fact, so can any “internet of things” (IoT) device that we let into the house, from the television to a light bulb.

How can IoT doohickeys threaten us? Several ways. Just check out Insecam.com, a directory – basically a search engine – of unprotected web cameras all over the world. These are cameras that people installed in their homes and neglected to protect with a password. Insecam ungrammatically dubs itself “The world biggest directory of online surveillance security cameras. Select a country to watch live street, traffic, parking, office, road, beach, earth online webcams.”

On Insecam.com you can find a kiosk in Tel Aviv, a back yard in Rosh Pina, a private home in Jerusalem. While writing I found a camera live in a science classroom in Petah Tikva (the school blocked the camera after we called them).

Another directory site, shodan.io, digs deeper, mapping every component connected to the web.

You don’t even need to be particularly sophisticated to break into one of these “smart homes” and lower the blinds, turn the lights on or off and so on. It bears adding that a password doesn’t confer 100% protection: hackers can bypass it, but it’s a good start.

Hello, ransomware

Two security experts, Andrew Tierney and Ken Munro, proved the possibility of another frightening scenario. They gained control over a thermostat control at somebody’s home and demanded a ransom for turning the thing back on. You can just imagine hackers taking advantage of a snowstorm to attack homes in New York.

Another “white” (i.e., good) hacker demonstrated how he gains control of a smart lock, causing the door to open. Never mind corporate espionage: Today’s cyber-assailants are a creative bunch, and note that anybody using a webcam to take pictures of his/her unmentionables or to videotape sex is just asking to have it disseminated online.

Yet another un-toothsome cyber-scenario is that your webcam (or smart TV, internet-linked printer, whatever) will be recruited to carry out cyber attacks on others.

That is exactly what happened on October 21, in the so-called “Mirai botnet attack”. Novice hackers used the IoT to harness about 1.5 million webcams, smart TVs and recording converters, which they easily hacked using the manufacturers’ default passwords. The users had no idea that their webcams had been “recruited” and were lying dormant in wait for the command to mount denial-of-service and other attacks. A dormant network of this sort is called a botnet.

The entire botnet was activated at once, aimed against the servers of a company called Dyn, which is a major supplier to other major companies like Twitter, Netflix and Airbnb. It was the biggest attack of its kind so far, and managed to knock out some of the sites Dyn served around the world for quite some time.

It is tricky to protect devices connected to internet. Mordechai Guri, the Chief Science Officer at Morphisec, calls the IoT a jungle.

“The IoT consists of a vast range of manufacturers with a range of chip sets, architectures and electronic circuits, and there’s also a range of operating systems,” he says. “The frequent software updates and bug fixes we know from modern operating systems don’t really exist in the IoT.”

In other words, the diversification of technologies and platforms and absence of standards preclude the development of an effective anti-virus or protective software for IoT devices.

Hazard to human life

Many of the most popular IoT devices in the world, such as smart webcams made by Foscam and Axis, and smart TVs made by Haier, use unencrypted data communications, enabling their traffic to be tapped and manipulated.

Why don’t the manufacturers protect their devices? Computer security expert Bruce Schneier calls it a market failure. First of all, the manufacturers compete over price, so they cannot and don’t want to invest in developing security. Secondly, when attacks like the Mirai botnet happen, they don’t actually bother either the manufacturers or the consumer. So why should they pay more?

Schneier believes government intervention is necessary: unsafe products should be banned, just as hazardous toys are banned. Governments need to regulate technology that can become hazardous to human life, he argues. Right now, the security of the internet is threatened by millions of internet-connected devices, sold by companies you’ve never heard of, who don’t give a fig for safety. Like pollution, the only possible solution is regulation, where manufacturers are forced to meet threshold security standards, even if the consumer doesn’t care.

Somebody who does care is the U.S. Department of Homeland Security, which acknowledges the threat. Last week it issued directives to manufacturers titled “Strategic Principles for Securing the Internet of Things”. The document clarifies that it is the responsibility of the manufacturers to assure security; if they fail, they can get sued.

“Everything that generates data can be part of a botnet, even a smart refrigerator,” says David Feldman, CEO of Cybonet, which sells spam blockers to internet service providers. “If a security camera can transmit images, hackers can hijack it to send spam.”

ISPs should also care about the cyberthreat posed by smart homes, Feldman adds. Both the customer and the ISP can get blacklisted by security software as spammers.

Also, hacker attacks like spam and DDoS are a headache for the ISPs, because the huge traffic volumes create extra costs.

How can the smart home be protected? Security experts disagree. Some say that since it may not be feasible or possible to add security software to the device, the guard should be set up in the home router, through which all the household data traffic is transferred.

“We know how to protect users of PCs, Macs and smartphones,” says Shaul Levi, chief scientist at AVG Technologies. But smart homes have computers of different types. Data to and from all the devices passes through the router. So the company created Chime Connected Home Platform security checking software for routers. It sells the product to router manufacturers.

So far its clients are mainly makers of relatively expensive routers, such as Amped Wireless, but he adds that AVG intends to release Chime as open code, so any manufacturer can use it to upgrade their product.

Another Israeli company, Dojo Labs, developed a security technology that connects to the home network, to protect smart devices from malware. It was recently acquired by the Ukrainian company Bullguard. A Finnish data security company called F-Secure also offers smart routers for smart homes, called Sense. The Romanian company Bitdefender is developing a physical security component for IoT devices and the startup Luma is working on an advanced router including security for smart homes. It has heavy backers, including Amazon and the Accel fund. And that’s just a partial list.

Head in the cloud

An alternative approach to IoT security is that routers are going to get stupider, and that defense has to come from the cloud.

“The old generation of IoT devices connect with an IP address to the network and that’s about it,” says Roy Dagan, founder and CEO of Israeli cyber-security company Securithings. “The second generation of products is usually connected to some cloud and to the service vendor, usually on the basis of monthly payments. When you buy a webcam from Ali Express, you have no agreement with the company. But when you buy something from a known supplier and make monthly payments, the contract between the parties is a little clearer and more binding. We think that as awareness of the dangers develops, people will prefer to buy IoT products from suppliers they trust. It’s like you use Gmail because you trust Google, but you wouldn’t accept such a sensitive service from any fly-by-night supplier.”

Dagan’s company sells its product to ISPs. “We sit in the cloud and check many parameters – from where the user is connecting to the webcam, at what time, what he’s doing with it and so on. For instance, if it’s August and it’s 30 degrees outside, the user isn’t supposed to turn on heating, and if he does, it’s probably because the heater has been hacked. Our system learns automatically and carries out analysis, ranking each action on a scale of risk level.”

Bezeq security chief Haim Miller also likes the cloud approach. “IoT needs a dynamic defense system in the cloud, which studies the internet, understands, monitors and reacts to viruses,” he says. “When something like a smart power outlet is online, we study it and register its usage pattern over a week. After the learning period is over, an unusual event could trigger one of two things, as the client chooses: an alert to the client, or we block the unusual contact.”

Don’t shrug. As Homeland Security put it: “While the benefits of IoT are undeniable we increasingly integrate network connections into our nation’s critical infrastructure [but] our increasing national dependence on network-connected technologies has grown faster than the means to secure it.”

So how do you protect your home? How do you know your webcam isn’t working against you?

First of all, and most important: Secure your webcam or smart device with a powerful password. Do not settle for the manufacturer default. You might as well not have any password at all. Don’t use the same password that you use for your home router.

Secondly, buy from known, reliable suppliers that provide software updates: it will probably keep on top of vulnerabilities discovered in software and handle them, advises Amir Modan, marketing manager at the tech chain Bug. Some webcams can be set to shut off at specific times. “In any case,” he adds, “I recommend not walking around naked next to the camera and don’t put one in the bathroom.”

Buying a security camera from a phone company like Bezeq will cost you more than buying in a store or online. But it bears saying that service providers are usually more committed to product safety and data security than some unknown manufacturer somewhere in Asia, and also, it has the tools to check the behavior of your webcam online.