A recent search engine called Shodan recently launched and its mission was to search the Internet for insecure IoT (Internet of Things) cameras. It showed the world just how insecure cameras can be and how owners are unaware of how easily they can be breached. A recent Ars Technica article showed the image of a sleeping baby.
Normal IoT Camera Setup
When you set up any IoT system, you connect it to your Wi-Fi whether it’s your ISP’s router or your own internal router. We don’t think about encryption or passwords, because most IoT hardware is built with poor security and little concern for open-air eavesdroppers. The problem with this type of casual setup is that it makes it easy for hackers to gain access to the system.
Highlighted in the Ars Technical reference, the cameras used to breach security and capture images used port 554. This port has no default authentication system, which means that there is no encryption or password placed on the device. It makes the device open to Internet connections from anyone, including a random search engine such as Shodan intended to show the security system’s vulnerabilities.
How to Secure Your IoT Devices
Unfortunately, securing your devices takes the cooperation of the manufacturer. The FTC and several security activists have been pushing for IoT manufacturers to create better security on their devices. Several other devices have been caught with poor security including home security systems, garage door openers and even baby monitors. Since these devices are programmed without security in mind, often they are developed without thinking like a hacker. In other industries such as web development and cloud software, security is always an important aspect of design.
If you suspect that your device is vulnerable, the first step is to contact the manufacturer to see if there are any patches you can make to the system. Some manufacturers can add better security through patching the software including encryption capabilities.
The next step is to review the manufacturer’s documentation. Some manufacturers have optional passwords and security that you can turn on within the system. Although it’s not required, you can optionally set a password, which would stop breaches from outside threats such as the Shodan search engine.
If you use an internal Wi-Fi router, connect to it rather than your external ISP router. Make sure that you have encryption turned onto the router to stop eavesdroppers. This means that the router must have a passcode and encryption set up, and your IoT device should connect to the router using this passcode and encryption scheme.
If you synchronize any content with the cloud, ensure that the manufacturer requires a user name and password to view videos. Most manufacturers have some kind of authorization, but not all of them make privacy a priority for their customers.
Anyone heavy into IoT devices should read the packaging before purchasing an insecure device. As more breaches occur, manufacturers will eventually be required to offer better security.