The saga of hacks made on Samsung’s popular SmartCam security cameras are a perfect illustration of why your network defense must start with a well-managed firewall. It has become impossible to rely on IoT device makers to create completely secure devices, and unworkable to have to keep them all up to date even when patches are provided. So while the history of these hacks isn’t unique, it does provide a good case study.
Devices start out problematic and usually get worse
Most IoT devices use a customized version of an off-the-shelf OS distribution, often Android or Linux. So they immediately come with whatever problems those OSes have. But once the software has been modified to fit the needs of each particular device, the benefit of any standardized platform updates is lost (although even those would assume that the device maker supported an automatic update mechanism). So each manufacturer needs to stay on top of all the exploits of the platform, as well as of its own software, and address them in a timely fashion. Some vendors manage to do that. But it only takes one hacked device to start to cause problems on your network.
In the case of Samsung SmartCam cameras, the original hack was revealed in August 2014, but from what I can tell Samsung didn’t distribute a patch until 2016 (which is when it was pushed in a firmware update to one of my SmartCams, among many others). It’d be one thing if Samsung was unique in this lag time, but it isn’t. Plenty of other IoT makers aren’t any faster. Worse yet, in the case of some of the commercial cameras exploited as part of recent DDoS attacks, they don’t have a simple way to distribute patches. When I did a roundup of security cameras recently, none of them impressed me as being rock-solid on security.
The problem with patches
Samsung’s patch for the original exploit illustrated two typical problems. First, it broke LAN access to the cameras, so those relying on access for local recording and streaming suddenly found their cameras unusable after the firmware update. It was not lost on users that Samsung rolled out a fee-based cloud DVR service on exactly the same day. Many users elected not to install the new firmware — and live with the exploit — rather than cripple their systems.
Second, the patch wasn’t very good. It left plenty of stubs of the services there. On the bright side, this meant that enterprising developers figured out how to restore streaming functionality. On the darker side, it meant that it was only a matter of time before the original hackers hacked the patched cameras. This week exploitee.rs showed how a hacker could alter the camera’s passwords and have it run arbitrary code.
Clickbait headline writers need to take a chill pill
All you need to do is search the web for articles on webcam hacks and you’d think zombies are about to invade your house and kidnap your pets and children. Only some of the articles bother to point out that almost all of these hacks (including the ones on the Samsung SmartCams) require the ability to get to the device directly using its IP address. In almost all residential and commercial networks, that address is local, probably dynamic, and sits behind a firewall whose job it is not to let hackers in.
So yes, if someone was on your LAN, or hacked your Wi-Fi, they could potentially hack your security camera or your future toaster. That would probably be the least of your problems, though. How many of your other computers, tablets and phones would they be likely to go after first?
As to the sensational headlines about zillions of security cameras being exploited for DDoS attacks, those are almost entirely ones found in industrial installations (think remote locations, for example) where they are directly Internet-addressable. They also are primarily low-end versions sold in developing countries. I’m the last person to downplay the importance of patching security flaws in IoT devices, but at the same time we need to make sure that users realize they need to be responsible for protecting their entire home network. By the time hackers get to where they can start poking around your local devices, you are already in trouble. One obvious place to start is to make sure whatever router you use has firewall software that is kept up to date. And think carefully any time you open up a port on it to the outside or enable port forwarding.