A seasoned security researcher recently warned that hackers can easily breach more than 120,000 IoT cameras.
He presented these findings, along with some predictions about the future of hacking IoT systems, at the Def Con Hacking Conference in Las Vegas last month.
The said revelation was made by Alex Balan, a researcher at the Romania-based cyber security company Bitdefender.
Balan and his research team recently conducted a study through which they came to know that some cameras manufactured by the Chinese company Shenzhen Neo Electronics include vulnerabilities allowing hackers to gain complete control over the devices from a remote location.
These findings suggest that a time might come when a hacker will be able to amass an IoT botnet of almost 150,000 devices.
After informing the public and the media about the flawed IoT cameras, Balan added that he reported the issue to Shenzhen Neo Electronics, but the company hadn’t yet responded to him.
According to the researcher, this yields to the concern that the problem hasn’t been fixed yet and might never be resolved.
Balan has described the issue as “unpatched” and “un-patchable.”
The Cameras in Question
Here, it must be mentioned that the two cameras in which Balan has spotted problems are the iDoorbell and the NIP-22.
But, alarmingly, there are possibilities that other cameras manufactured by Shenzhen Neo Electronics might also have similar bugs.
Balan and his team are making such predictions as all cameras made by the Chinese firm work based on the same firmware.
According to the Bitdefender researcher, there’s no technology that can push or update patches onto the cameras automatically.
This is, however, not the first time we are hearing about vulnerabilities spotted in IoT cameras or devices.
Before these two cameras from Shenzhen Neo Electronics, flaws have been found in several other IoT devices, including stuffed animals, crockpots, sex toys, dishwashers and surveillance cameras.
This has actually become a trend in the last few years.
Hackers could obviously hack the said devices individually.
However, there have been instances where hackers have successfully enlisted several thousands of such vulnerable devices linked to botnets.
In one of the most high profile cases, such botnets were used for launching denial of service attacks damaging internet services in the East Coast of the U.S.
Analysis and Results
After analyzing the iDoorbell and the NIP-22, Balan has come to the conclusion that the two devices possess different kinds of vulnerabilities.
The first bug has arrived in form of a buffer overflow, which allows hackers to gain complete control over the cameras from a remote location.
This is giving the hackers the power to turn the compromised cameras into electronic zombies forming a botnet.
The second bug causes the vulnerable cameras to have default combinations of passwords and usernames.
These default combinations allow unauthorized people to log into the devices from various remote locations and watch live video streams.
Shodan, a search engine that lists vulnerable IoT devices, reports more than 130,000 cameras with confirmed vulnerabilities (as of writing).
When asked about the bugs, Balan said that the password and username combinations of “guest,” “guest” and “user,” and “user” are allowing anyone to log into the cameras and gain access to the videos streaming on those devices.
Balan made it clear that while he is making all these statements, the hackers might be busy making the situation worse for internet users.
According to him, the current number of vulnerable devices might be well over 120,000.
He believes a hacker might even succeed in developing a botnet with 200,000 vulnerable devices.
Balan is hoping that the revelations in his Def Con Hacking Conference presentation will help raise public awareness around various IoT flaws.
He feels that right now, internet users around the globe aren’t aware the possible hacks that could occur on their Internet of Things devices.
However, the scenario might change pretty soon if IoT devices are hacked frequently by people with unscrupulous intent.