Kaspersky Lab security researchers have admitted to finding multiple security vulnerabilities across popular smart devices.
According to research from the company the uncovered flaws could allow attackers to obtain remote access to video and audio feeds from the smart cameras, which are used frequently for baby monitors or internal home and office security surveillance. The vulnerabilities enabled the devices to be remotely disabled and execute malicious code on devices.
The security researchers found that the devices had been vulnerable to the malware due to an insecurely designed cloud system, which was open to easy interference. The system was initially designed to allow users to remotely access video from their devices anywhere; instead it resulted in vulnerabilities and attacks on their devices.
Those devices that were affected by the vulnerabilities could cause chaos for users, allowing malicious users to carry out various types of attacks. ‘Hackers’ could access video or audio feeds from any camera connected to the vulnerable source as well as gaining access to the camera to use as a entry point for further attack and also steal personal information such as login credentials.
Whilst carrying out research into the vulnerabilities and devices hacked, Kaspersky Lab experts identified a total of 2,000 vulnerable cameras working online. However, these were cameras just with their own individual IP address directly available through the internet. Therefore, the actual number of vulnerable devices could be significantly higher.
“The problem with current IoT device security is that both customers and vendors mistakenly think that if you place the device inside your network, and separate it from the wider internet with the help of a router, you will solve most security problems – or at least significantly decrease the severity of existing issues,” said Vladimir Dashchenko, head of vulnerabilities research group, Kaspersky Lab ICS CERT.
“In many cases this is correct: before exploiting security issues in devices inside of a targeted network, one would need to gain access to the router. However, our research shows that this may not actually be the case at all: given that the cameras we investigated were only able to talk with the external world via a cloud service, which was totally vulnerable.”
Hanwha Techwin, the manufacturer of the affected cameras said that some vulnerability had been fixed, with the remaining ones set to be completely fixed soon.
“The security of our customers is the highest priority for us. We have already fixed the camera’s vulnerabilities and we have released updated firmware available to all our users. Our company actively collaborates with vendors and reports all discovered vulnerabilities. Some vulnerabilities related to the cloud have been recognised and will be fixed soon,” Hanwha Techwin said, in response to Kaspersky’s findings.
The discovery comes just days after the UK Government has called for more security features to be added to smart devices, to protect users.