A discovery by Kaspersky Lab researchers this week has the security industry – and concerned camera owners – buzzing about the implications of privacy and risk around interconnected devices and the Internet of Things (IoT).
Here is the overview of the news: Kaspersky Lab researchers uncovered multiple security vulnerabilities in popular smart cameras that are frequently used as baby monitors or for internal home and office security surveillance.
What are some of the nefarious things attackers could do by exploiting these vulnerabilities? Kaspersky says the holes could allow malicious users to:
- Access video and audio feeds from any camera connected to the vulnerable cloud service;
- Remotely gain root access to a camera and use it as an entry point for further attacks on other devices on both local and external networks;
- Remotely upload and execute arbitrary malicious code on the cameras;
- Steal personal information such as users’ social-network accounts and information which is used to send users notifications; and
- Remotely “brick” vulnerable cameras.
All these attacks str possible because experts found that the way the cameras interacted with the cloud service was insecure and open to relatively easy interference. They also found that the architecture of the cloud service itself was vulnerable to external interference.
Find out more details about the research on Kaspersky’s site.
Vulnerability in smart cameras is not a new thing. Other security researchers have uncovered security holes in cameras in the past. It's also not the first time we have seen the implications of attacks on IoT devices. The Mirai botnet, discovered in 2016, targeted online consumer devices such as IP cameras and home routers. The malware used the devices to launch distributed denial-of-service (DDoS) attacks on several websites, giving us a sober awakening to the security risks around IoT devices.
While many still think about IoT as a consumer concern, it is very much an enterprise and business issue today. Gartner forecasts there will be 20 billion connected devices by 2020. Businesses are increasingly looking to IoT not only for productivity, but as part of offerings and services.
“Enterprise IoT is where the action is, not Alexa, Google Home, flashy things like the connected car,” said Karpinski. “It’s the down-and-dirty applications in manufacturing, health care, transportation and oil and gas. They’re going to be the really big drivers and see a lot of the big investments.”
Karpinski will speak about how channel partners can become leaders in IoT at the upcoming Channel Partners Conference and Expo in Las Vegas, April 17-20.
This week’s Kaspersky news begs the question for all MSSPs: What are you doing with IoT security? What is your message going into customer meetings on the topic? What offerings do you have around it?
As IoT devices continue to explode, and industrious criminals continue to find ways to exploit them, anyone who isn’t prepared to answer questions and help clients stay protected does so at their own professional risk.