Security site Bleeping Computer recently broke news that thousands of surveillance DVR appliances are vulnerable to hackers. A short line of code allows these hackers to exploit a vulnerability found in a number of internet connected cameras.
Exploiting the flaw allows the username and password of the camera to be displayed in plain text. This text file essentially grants access to the cameras systems. This admin level access lets the hackers to move cameras, steal data, or spy in real time. Ezequiel Fernandez, the researcher that discovered the flaw, first found the issue with cameras made by Spanish camera maker TBK Vision. Fernandez notes cameras from CeNova, Night Owl, Nova, Pulnix, Q-See, and Securus are also affected.
So far none of the companies listed have been available for comment either to Bleeping Computer or c|net. Both sites have also reached out to Fernandez who has declined to comment on his publication. However, other security experts have verified that “the hacking code could successfully access the login credentials for the cameras Fernandez identified.” (cnet.com).
The danger of such a widespread breach of passwords has implications beyond simply compromising the security of the camera owners. If a large enough group of devices is infected with malicious software they could be used to form a bot-net. This bot-net could be used to perform attacks on website or run a DDOS attack. As a first precaution, make sure that you are following good password protocol for all of your devices. First, never leave a password as the factory default as these are incredibly easy to bypass. Second, use a password manager to keep track of all of your various passwords. Lastly, make your passwords complex but memorable: a password doesn’t need to be a string of random characters and cases to be strong.