Researchers at Bitdefender say that they have uncovered two vulnerabilities in low cost Chinese cameras.
One of the cameras is used in the iDoorbell – which represents a software supply chain issue on top of it. The cameras come from Shenzen Neo Electronics. Researchers suspect that other cameras are affected as well.
Using the search engine Shodan, researchers found over 100,000 vulnerable cameras, but researchers suspect the number is larger because other camera models may be affected.
One of the two exploits doesn’t even require the user to be able to login; they compromised the login process itself.
The low cost of the camera ($39) means that there are likely a lot of them out there.
The low cost of the camera also probably explains why the manufacturer did not respond to the researchers notification of the problem.
Now that the vulnerability has been disclosed, any hacker that was not aware of the problem before is aware of it now.
Since the vulnerabilities allow a hacker to run arbitrary code, the hacker could compromise any network that the camera is attached to. That is pretty scary.
There is some hope on the horizon. Maybe.
Senators Cory Gardner (R-CO) and Mark Warner (D-VA) have introduced a bill that could make things a little bit better.
The bill, IF PASSED AND SIGNED BY THE PRESIDENT, establishes certain requirements for any IoT device that a vendor wants to SELL TO THE FEDERAL GOVERNMENT. This represents a small but meaningful subset of IoT devices and likely vendors will advertise the fact that they are more secure, which could force those vendors who have not implemented the federal government standard to do so for competitive reasons. IF the bill passes.
Here are the bill’s requirements as of today:
- The devices must be patchable (seems logical but have you tried to patch your refrigerator lately).
- The devices must not contain known vulnerabilities. That means that the cameras at the beginning of the article could not be sold to the government. If the vendor identifies vulnerabilities later, they must disclose that to the government, explain why it is still secure and what compensating controls might exist. After that, the agency’s CIO can issue a waiver. Most likely, CIOs would not want their signature on that waiver unless it was absolutely critical to the agency’s mission.
- That the devices rely on standard protocols. No secret, proprietary (and hence untested for security) protocols allowed.
- Agencies can ask the OMB for a waiver to buy a non compliant device if they can show that there are compensating controls, but who is going to ask for that? If that device were to be hacked after the fact, there would be hell to pay.
- The OMB, working with NIST, would be required to create security standards for the government to deploy those devices. Of course businesses could use those standards too.
- Agencies could have their own security standards for IoT devices – as long as they were more rigorous than the standard.
- Vulnerabilities found must be patched or devices replaced in a timely manner (whatever that means – full employment for lawyers, I suppose).
- It also protects researchers from being prosecuted under the Digital Millennium Copyright Act (DMCA) for hacking into the device to find and report vulnerabilities.
We shall see if the bill gets passed, but it might be and that would be very good. Stay tuned. If it does get signed into law, I will let readers know.