OK, I will give you the punchline upfront. According to Tech Crunch, Robert Stephens, a tech industry veteran, put a WiFi connected security camera on the Internet and was hacked in …. 98 Seconds.
In 98 seconds it is highly unlikely that you could even get logged in to the camera, never mind change the default password or download updated firmware.
Given that Stephens figured that this was going to happen, we walled off the camera with a number of protections.
The way the attack worked is this. The first wave of the malware identified the manufacturer of the camera and knew the default password. It then used that password to log in to the camera and download the rest of the malware, owning the camera. The malware was a relative of the Mirai malware that took down parts of Twitter and Amazon, among many other websites, last month.
The article said that this was a cheap off brand camera and that better quality devices would “almost certainly” be better protected. I guess the author of that article should read my blog post from yesterday – the one that talks about Sony pro-grade cameras having, basically, equally bad security issues, maybe worse.
The geeks who responded to the post said things like cameras should never be put directly on the Internet, but rather behind a firewall. This is certainly true and might help a little bit, but you want to be able to remotely look at the camera, so to some degree it has to be on the Internet.
One thing that would help would be if manufacturers would set up devices so that they could not be remotely accessed until the setup was complete. That would include REQUIRING the user to change the initial password and making that password relatively long and complex. They need to set it up so that if they don’t do that, the camera will not come online. But they don’t want to do anything that would discourage people from buying (and not returning) their products.
There are things that you can do to help protect yourself, but they are too complicated for the average bear to do. You cannot expect people to be geeks.
HOWEVER, on the other hand, for now, until manufacturers get their S**t together, that is exactly what users have to do. At their time and their expense. THAT is not fair.
Sorry, but that is just the way it is for now.
Information for this post came from Tech Crunch.