Internet-enabled cameras have become ubiquitous in recent years. In many city streets, there is hardly a front door or entrance gate that is not continually watched by cold, silicon-enabled eyes, many of which are connected to the internet and beyond.
That makes them attractive targets for cybercriminals who have developed sophisticated bots that routinely trawl the internet looking for devices that can be easily hacked.
That raises an important question: how big a problem has this become and what kind of attacks are cybercriminals using to access internet-enabled cameras?
Now we get an answer of sorts thanks to the work of Armin Ziaie Tabari at the University of South Florida and a couple of colleagues. This group has set up a global network of online decoy cameras to attract malicious web users and to monitor their activity. They call these devices honeypot cameras or HoneyCameras.
They say that in that time, attacks have become more sophisticated and that cameras have been increasingly targeted by attackers.
The team began by emulating six internet-connected cameras in servers in different locations around the world. They operated these HoneyCamera instances as part of a larger system to monitor attacks on Internet-of-Things (IoT) devices in general.
Each HoneyCamera instance continually played a loop of a few seconds of a fake video stream protected by basic authentication processes. The team say the system included several fake pages that emulated features of IoT cameras, such as the ability to change passwords, add new users and read network information. “We also developed a false firmware upload service that would let us capture and analyze attack tools and exploits,” say Tabari and colleagues.
There is no legitimate reason for an outside user to access any of these HoneyCameras, so the team considered every access attempt as malicious and recorded them over a 25-month period.
During this time, the HoneyCameras received 3.6 million hits from sites all over the world. The vast majority of these attacks come from bots designed to scour the internet for vulnerable devices.
Some of these attacks attempted to upload coin-mining software and so were not aimed directly at cameras.
However, Tabari and co say they identified plenty of camera-specific attacks. The first was a brute-force attempt to find a username/password combination that would unlock the video stream.
They also found a range of other exploits designed to exploit known weaknesses in certain brands of camera. These included ways of bypassing authentication, of forcing the disclosure of passwords and other techniques.
Tabari and co publish the ten most common usernames and passwords used by these attacks; the most popular being admin/admin. Other popular usernames used in these attacks include: 666666, 888888 and 123456; while popular passwords included: 8hYTSUFk, password and 123456.
Interestingly, Tabari and co designed their HoneyCamera with a known vulnerability that reveals the username and password to login. This took the form of an image that merely looked like a hacked webpage, a trick that makes it accessible only to human eyes.
The cybersecurity team say that 29 IP addresses exploited this vulnerability. “The fact that the user-name and password were only visible to humans’ eyes indicate that these activities likely were performed by a real person as opposed to an automated program,” they say.
That’s interesting work revealing the complex landscape of attacks that almost any internet-connected camera is likely to be subject to.
Tabari and co also created honeypots for other Internet connected devices and found similarly worrying levels of malicious activity. This is likely to increase in the coming years as the numbers of IoT devices rises. By some estimates, there will be over 40 billion of them by 2025. Indeed, the internet security company Kaspersky estimates that IoT attacks more than doubled in the first six months of 2021.
The sheer volume of these attacks suggests that anybody using an internet-connected camera should check their username/password combination to ensure it is as strong as possible. After that, continue to be vigilant—you never know who might be watching.
Ref: What are Attackers after on IoT Devices? : arxiv.org/abs/2112.10974