Peer-Seeking Webcam Reveals the Security Dangers of Internet Things

Last week security blogger Brian Krebs revealed that a popular internet-enabled security camera “secretly and constantly connects into a vast peer-to-peer network run by the Chinese manufacturer of the hardware.”
While the device is not necessarily sharing video from your camera, it is punching through firewalls to connect with other devices. Even if the user discovers it, it’s still extremely hard to turn off. And apparently it’s not the only electronic device that’s secretly phoning home.
The manufacturers may envision this as a service, allowing mobile users to conveniently connect remotely to their collection of devices at home. But in some cases, manufacturers aren’t even publicizing these features to their customers, which is one of the things that’s alarming the former Washington Post cybercrime reporter, who holds the device up as an example of “Why People Fear the ‘Internet of Things’.”
“[T]he problem with so many IoT devices is not necessarily that they’re ill-conceived, it’s that their default settings often ignore security and/or privacy concerns,” Krebs wrote.
A Chinese firm named Foscom sells this particular security camera, but one user had detected the unusual behavior and posted about it on the company’s discussion board last November. Soon other users were chiming in, confirming that they’d noticed the same things.
“I had cut off anything that should have caused the camera to ‘phone home’, but it still insisted on sending out UDP 10001 to several different IPs,” posted another user a few days later. “My router blocked the incoming responses, so no conversation was actually created, but my firewall was reporting about 16,000 attempted connections (4,000 to each of four different IPs).”
Krebs points out that some of the company’s “P2P” cameras don’t even include P2P in the product’s name — but then argues there’s two even bigger problems. First, this behavior is activated by default, until the user proactively disables it. And second: disabling it doesn’t really work. “Foscam admits that disabling the P2P option doesn’t actually do anything to stop the device from seeking out other P2P hosts online…”
Krebs links to a post in Foscam’s forum, where a user shared their response from the company’s customer support. To make it possible for the cameras to instantly come online, they were always syncing with the server.
It’s not the first incident raising questions about the security of security cameras. Back in 2005, web surfers discovered an easy way to search Google for the addresses of web-based security cameras and began remotely controlling the cameras themselves and pulling up live feeds of strangers from around the globe.
“I was mooching around this Chinese bloke’s shop with no one to be seen,” posted one prankster. “Then all of a sudden they turn up, he looks at the camera whilst I was zooming in on him and he twigged something was not right…so he runs over to his PC with me following him with the camera, then he calls his friend over….obviously they went there to check the PC as the camera is linked through that.”
As they pulled up the camera-controlling software on their PC, they saw: a picture of themselves.
But now the devices are proactively contacting the Internet themselves, and in many cases, the internet-enabled cameras are even designed to reach through a user’s firewall. This obviously opens up a new attack vector. According to Krebs, on Foscam’s cameras this functionality “can’t be switched off without applying a firmware update plus an additional patch that the company only released after repeated pleas from users on its support forum.”
Krebs contacted Nicholas Weaver, a senior researcher in networking and security for the International Computer Science Institute, who described it as “an insanely bad idea.”
“It opens up all Foscam users not only to attacks on their cameras themselves (which may be very sensitive), but an exploit of the camera also enables further intrusions into the home network. Given the seemingly cavalier attitude and the almost certain lack of automatic updates, it is almost certain that these devices are remotely exploitable,” Weaver told Krebs.
Consumers may not be aware that their internet-enabled devices may already be reaching out to the Internet of Things. Last May a user also discovered a DVR that was contacting the same IP address in China. And a few months earlier, another security-watcher noted a similar P2P behavior in a smart plug he’d purchased which allows lights to be switched off remotely using a mobile phone.
“Our houses and offices are more and more infested by electronic devices embedding a real computer with an operating system and storage…” he wrote on the “Internet Storm Center” site. Though the product’s packaging made no mention of this functionality, his plugs were also attempting to contact that same peer-to-peer network.
“It’s not a major security issue but this story enforces what we already know (and be afraid) about IoT: those devices have weak configuration and they lack visibility/documentation about their behavior,” the user, Xavier Mertens, wrote. “Take care when connecting them on your network.”