Security cameras are among the most common Internet of Things (IoT) devices installed in both business and consumer settings. They’re video baby monitors used to keep an eye on sleeping babies, internet-connected cameras for building security, and video doorbells designed to monitor the exterior of homes and businesses.

In fact, many of the IoT devices currently deployed are security cameras. Europe and North America had some 183 million units deployed in 2019, according to Berg Insight AB, which will likely grow to 420.3 million units by 2024. Furthermore, according to estimates, the smart camera market size is projected to reach $9.17 billion by 2026.

The ubiquity of IoT security cameras poses a few issues. First are concerns around privacy in general, and second is the reality that IoT cameras are vulnerable to cyberattacks. CCTVs and IP cameras that are accessible over the open internet can be easy for cybercriminals to access. The reasons behind this could be misconfigurations, default passwords, or even software vulnerabilities. Once the camera has been accessed, threat actors could download the security video and sell it on the Dark Web, use the exfiltrated video for information gathering, or even leverage the cameras for botnets or lateral movement. 

Organizations using IoT security cameras for security need to be aware of these challenges and take steps to protect them against cyberattacks. 

Why IoT Security Cameras Are Vulnerable to Cyberattacks

IoT security cameras suffer from the same issues that plague connected devices more broadly. They’re often shipped with easy-to-guess default passwords and in high enough volume that they’re difficult to secure at speed. Threat actors can easily find out the default password and use it to gain access to smart cameras at businesses and in personal residences. 

The results can be disastrous. In December 2020, dozens of people sued a security camera maker over “horrific” invasions of privacy that show a weak point in IoT security cameras. The lawsuit alleged that the cameras came with lax security measures, allowing remote actors to take control of the devices. They further claimed the attackers misused the cameras to harass over 30 people in 15 families. The plaintiffs alleged that the attackers screamed obscenities, demanded ransoms, and even threatened murder in some cases.

Camera makers might depend on the security of networks to protect the device itself. This approach leads to poor security practices and can result in hackers scouting out locations or people deciding to spy on others for their own pleasure. IoT security cameras might have such poor security on the data protection side that employees have access to all the footage collected. One camera maker put no restrictions on any employee viewing video recorded by any customer. This lack of privileged access management on the data protection side creates a significant security risk. 

IoT security cameras can also be easily misconfigured. Even the most skilled technician could make a mistake when installing a connected security camera, which then allows threat actors to gain initial access. If the security camera is connected to the open internet and the internal network, this could mean the camera serves as a stepping stone for lateral movement. 

IoT cameras could also be used as botnets. The Mirai botnet, first discovered in 2016, is one such example of malware that uses connected devices to launch attacks. In Mirai’s case, these are mostly DDoS attacks designed to take down various websites. Botnets can be used in any number of attack chains, but the fact remains that IoT security cameras could be part of a botnet if compromised. 

These issues arise because IoT camera makers often deprioritize security in favor of bringing a product to market quickly. These devices might run on outdated software and lack the ability to receive updates in the first place, complicating matters well beyond shipping with a default password. IoT camera makers almost act as if they expect someone else to take care of security, which is a problem. 

How to Protect Your IoT Security Cameras

Securing the IoT cameras in your organization requires a few basic best practices. To start with, you need to maintain an inventory of all CCTV or IP cameras deployed on the premises. Criminals have been known to place hidden cameras in various locations and then sell the resulting video that they capture. If you’re conducting a regular inventory of all IoT devices with a scanning solution to look for IP traffic, then you’ll be able to know where all your cameras are and – hopefully – if there are any cameras transmitting data that shouldn’t be there. 

Cybersecurity teams should also look for anomalous behavior detection in their IoT security cameras. Tracking the traffic that the camera generates and where that traffic is going is absolutely critical. You want to be able to tell if the camera is transmitting data to a location that shouldn’t be receiving video. 

More important, however, is locking down access to the IoT camera. On the consumer side, it should be very difficult for employees to access the video recorded from personal security cameras. On the enterprise side, this means limiting access to the camera and the stored video to just the security team. Also, ensuring that the IoT camera is not accessible on the open internet. The harder you can make it to gain access to cameras from outside the network, the more likely they are to remain secure. 

How Asimily Helps Defend IoT Security Cameras

The Asimily platform is designed to counter the risks of IoT security cameras. Asimily scans your network to discover any new connected devices on your network. It uses these scans to update your inventory on a regular cadence. This scan allows organizations to build a complete inventory of all IoT devices on the network, while also gathering extensive information such as MAC ID and other identifiers.

Once security teams understand which IoT devices are on their network, they can work to mitigate any potential consequences. Asimily’s protection technology includes the ability to plan how to segment out IoT cameras with the biggest vulnerabilities. This allows security teams to reduce the possibility of any compromised device serving as initial access to a larger network. It also provides simpler and easier-to-implement fixes for most vulnerabilities.

Asimily also includes anomalous behavior detection. The platform monitors all IoT devices for any abnormal communication pathways or protocols. Visibility into device behavior allows security teams to detect attacks in progress and potentially stop them. With insight into anomalous behavior, security teams can also more readily perform a forensic analysis and make changes to their policies later. 

Asimily is built to help organizations resolve their IoT security challenges through effective inventory creation and anomaly detection, among other capabilities. With Asimily, companies investing in the Internet of Things can ensure that they don’t fall victim to threat actors trying to exfiltrate data through connected devices. 

Conclusion

IoT security cameras are vulnerable to cyberattacks. There is minimal doubt of that, especially given the devices’ general lack of security in their construction and difficulty of updating. Organizations need to focus on purchasing cameras that have updated operating systems and more of a focus on security to do better. And then security teams need to deploy a solution like Asimily that emphasizes the tools necessary to protect IoT devices: regular inventory creation, anomalous behavior detection, and more. Organizations who use Asimily can be confident of reducing the risk of using IoT security cameras.

To learn more about Asimily, download our Total Cost of Ownership Analysis on Connected Device Cybersecurity Risk whitepaper or contact us today.