Fault by default

Posted On 02 Dec 2014
Comment: Off

login with username and password in internet browserIn November it hit the headlines that a Russian website is offering the ability to view images from network cameras such as webcams, baby monitors and some CCTV cameras. While this potential vulnerability in IP systems nothing new to many of us it highlights the disturbing lack of installers not changing default access codes. Furthermore it highlights it to an audience that loves a good scare story and worryingly, rather than make some members of the public take action to secure cameras, it might make them turn them off instead.

Over recent months in PSI, specifically following another high profile security breach of celebrity photos and the Cloud, we asked our Panel to give us their thoughts on the security of remote access technology and just about all of them made reference to changing default passwords and securing the network. In other words it is an error on the part of the humans involved rather than a problem of the software.

Speaking at the time of the media frenzy surrounding camera hacking the Chair of the British Security Industry Association (BSIA), Pauline Norstrom, said: “We find that about half of the companies and organisations we talk to, large and small, don’t have adequate precautions. Sometimes it is a lack of awareness or simply a sloppy approach towards the security of their networks. Yet the results of being hacked can be catastrophic.

“In the case of an organisation that was responsible for five schools, we found that two schools had cameras that could easily be accessed by outsiders. The potential results if unscrupulous intruders had exploited this vulnerability would have been extremely serious. Yet, such risks can be eliminated with quite straightforward security actions.

“With so many media stories about hacking such as the News International debacle, it should be a top priority to ensure that networks are protected. The hacking of cameras has a wider implication as it can lead onto phone lines, web servers and in turn access to personal and transactional data. It all adds up to organisations not taking elementary and straightforward security precautions.

“Installers need to guide their clients as many companies do not consider the issues and implications. The technology is there to prevent hacking. It is not overly complex to ensure networks are protected. Yet, the issue remains and we have not seen it diminish over the years.”

Essentially the problem is occurring due to the fact that whoever is installing the cameras is not changing the passwords and ID names of units when putting them onto a network. In the same way that the telephone hacking was carried out by some media outlets using default codes, the Russian website gives the default details of some of the widely available cameras (such as ID: Admin, PIN: 0000) to give access to unsecured systems. It is vital that installers change these codes and, if possible, use a secured, dedicated network.

Owners of the site have said that they only created the site to show the vulnerabilities of cameras and will now take the pages down however the damage has been done and the seed of doubt has been cast. Now is the time to act and make sure all IP systems are secured properly before any more negative publicity can be generated as a result of the basics being overlooked.