Often, people consider physical and digital security as two separate entities. While physical security focuses on protecting people and objects, cybersecurity relates to digital assets connected to networks. However, the rise of Internet of Things (IoT) video cameras transforms physical security initiatives into cybersecurity risks. IoT security cameras enable organizations to implement more robust facility monitoring, often incorporating facial recognition and artificial intelligence. Organizations are likely to adopt more IoT security technologies, with experts predicting that the global video surveillance market will be $53.7 billion in 2023 and reach $83.3 billion by 2028 with an expected CAGR of 9.2% from 2023-2028.

As with many other IoT devices, these security cameras create opportunities but bring cybersecurity risks with them. With no standardized security requirements, IoT devices have network risks. From limited authentication capabilities to lack of encryption on the devices, attackers can exploit these vulnerabilities as an initial access point into the organization’s systems. 

Recognizing the increased use, threat actors target these devices and their ecosystems hoping to leverage any vulnerabilities as part of their attacks. For example, in the last twelve months, IoT security cameras and their ecosystems have been in the news because these vulnerable devices offer various pathways into a customer’s systems and networks, including:

• January 2023: Hangzhou Xiongmai Technology recalled 4.3 million internet-connected camera products linked to Distributed Denial of Service (DDoS) attacks that impacted sites like Netflix, PayPal, and X (formerly Twitter). 
• February 2023: Security researchers identified a vulnerability affecting Dahua cameras and video recorders that attackers could use to modify a device’s system time. 
• April 2023: Video surveillance giant Hikvision patched a critical vulnerability affecting its Hybrid SAN and cluster storage products. 
• January 2024: Security Service of Ukraine identified a security camera monitoring a residential complex’s parking facility as being used to conduct reconnaissance prior to missile attacks 

Although public records of data breaches definitively linked to IoT security cameras are limited, the threats facing these devices are expansive, including compromising the data that they store, the networks they communicate across, and the sensitive data on the systems connected to those networks. 

While IoT security cameras enable organizations to monitor physical security, they often impact a company’s data security and privacy posture and should be incorporated into the overarching data protection program

Anatomy of an IoT Security Camera Attack

Although attackers can use IoT devices to compromise an organization’s security in various ways, understanding how threat actors can use IoT security cameras provides insight into why organizations should consider monitoring and securing these devices. 

Scan the Network 

As with every attack, threat actors begin their process by looking for weaknesses to exploit. During this reconnaissance stage, they might use Shodan, the self-proclaimed “Search Engine for the Internet of Everything.” Attackers can input an organization’s name into the search engine and receive a list of devices connected to the network. This search enables them to identify cameras and the open ports where the IoT devices talk to the network.

Attempt to Connect to Network

Armed with the organization’s network IP address, they can gain information about the IoT camera.  For example, directly inputting the device’s IP address may prompt an administrative login popup, typically used for configuring the camera.

Research the Device

With information about the device’s manufacturer and its model, the malicious actors can do some internet research that enables them to compromise the device and, thus, the network.

• Password – Most device manufacturers have the default passwords listed publicly so that customers can find them if they lose the original documentation from the package. If this research fails to provide a password, they can attempt a brute force attack, sending commonly used passwords to the login and hoping to gain access. While implementing multi-factor authentication (MFA) can mitigate brute force attack risks, many IoT devices lack this capability, leaving organizations vulnerable and without the appropriate security protections.
• Vulnerabilities – By identifying the device’s manufacturer and model, threat actors can search the National Vulnerability Database (NVD) for Common Vulnerabilities and Exposures (CVEs) associated with it. The NVD search function allows people to input manufacturer or device names, then provides a list of all known vulnerabilities associated with them. Additionally, many of these descriptions include links to the original security research that outlines ways to exploit the vulnerability and the, like authentication bypass or remote code execution. Whether using the clear or dark web, the malicious actors have access to information and directions that help them exploit the identified vulnerability.

Gain Access to the Device

If the malicious actors managed to gain initial access by finding the device’s default administrative password online or brute forcing their way, they already have privileged access that enables them to control the surveillance camera. 

If they gain initial access by exploiting a vulnerability, the malicious actors may need to do additional work, like accessing the directory and searching for sensitive information, like password files. Once they have this information, they can give themselves additional access until they have administrative privileges.

With administrative privileges, they can pivot across the network by investigating what the device knows, enabling them to get to higher-value resources.

Best Practices for Mitigating IoT Security Camera Risks

As organizations deploy more IoT devices, like surveillance cameras, they need to consider the additional security risks arising from these implementations.

Inventory Devices

Before organizations can implement security controls, they need to identify all the IoT devices connected to their networks, not just the security cameras. However, traditional IT tools can take devices offline so organizations need passive scanners that detect and fingerprint devices, providing information like:

• Hardware: manufacturer, model, serial number
• Software: operating system, version, firmware revisions
• Device type and function
• Security assessment: vulnerabilities and risks

Identify Vulnerabilities and Prioritize Remediation Actions

Once organizations know what they have connected to their networks, they need to identify the vulnerabilities that attackers can exploit. Active scanning used by traditional vulnerability identification tools can disrupt IoT device service. To identify risky devices, organizations can use a passive scanning solution that:

• Identifies where exploitable vulnerabilities are within the environment and for each specific device 
• Prioritizes activities on real-time exploitability
• Provides actionable remediation recommendations that include applying security updates or implementing appropriate compensating controls, like deactivating unnecessary services or implementing microsegmentation

Monitor for Anomalous Activity

Traditional IT cybersecurity tools often fail to collect and analyze technical forensic data generated by IoT devices, making it hard to determine how threat actors use a compromised device after obtaining access. 

With a dedicated IoT security solution, organizations gain visibility into normal device activity so that they can identify abnormal behaviors indicating a potential security incident. For example, organizations may find that an IoT device connects to a server outside their geographic region to receive firmware updates. This would enable the company to identify abnormal connections to locations that might be an attacker’s command and control (C2) server, like when attackers try to use IoT devices as part of a larger botnet.

Enhance Detection and Investigation

When organizations incorporate their IoT devices into their overarching security monitoring tools, they can build high-fidelity alerts that enable their security teams to detect attacks faster. Further, with solutions that can capture network packet data, security analytics can investigate root cause faster and obtain important forensic data like:

• RAM from servers (important for fileless malware, which doesn’t touch magnetic media)
• Traffic information from network devices
• Data transferred to an FTP server

Asimily: Protect IoT Security Cameras from Attackers

Asimily provides holistic context into an organization’s environment when calculating Likelihood-based risk scoring for devices. Our vulnerability scoring considers the compensating controls so you can more appropriately prioritize remediation activities.

Organizations efficiently identify high-risk vulnerabilities with our proprietary, patented algorithm that cross-references vast amounts of data from resources like EPSS (Exploit Prediction Scoring System), Software Bills of Material (SBOMs), Common Vulnerability and Exposure (CVE) lists, the MITRE ATT&CK Framework, and NIST Guidelines. It understands your unique environment, so our deep contextual recommendation engine can provide real-time, actionable remediation steps to reduce risk and save time.

Asimily customers are 10x more efficient because the engine can pinpoint and prioritize the top 2% of problem devices that are High Risk (High Likelihood of exploitation and High Impact if compromised). Asimily’s recommendations can easily be applied in several ways, including through seamless integration with NACs, firewalls, or other network enforcement solutions.

To learn more about Asimily, download our IoT Device Security in 2024: The High Cost of Doing Nothing whitepaper or contact us today.