HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Security Cameras Could Be Your Biggest Security Weakness

Could a networked device that’s designed to enhance security be exploited by hackers to gain access to your network? In the case of security cameras, it is a distinct possibility.

Security and surveillance camera security weaknesses could be exploited by hackers to gain access to the networks to which they connect. The cameras could also be used to check for physical security weaknesses or to spy on workers and patients.

The past few weeks have clearly shown the need for better security controls to be incorporated into these IoT devices. Hackers have taken advantage of scant security controls to gain access to cameras (and other IoT devices) and have used them for massive Distributed Denial of Service (DDoS) attacks.

Many device manufacturers are guilty of failing to incorporate adequate security controls, although not all of the blame can be placed at the door of the manufacturers. IT departments have installed the devices, yet have failed to change default passwords. Weak passwords can easily be guessed by hackers, and in many cases, the default passwords are readily available online.

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

Poor security controls on any IoT device could result in it being added to a botnet or used as a Launchpad for other attacks. However, security and surveillance camera security weaknesses are the most concerning, according to a new report by cloud security firm Zscaler.

Zscaler recently conducted a review of security controls on a number of popular home and enterprise security cameras and identified multiple weaknesses that could be exploited by hackers.

The Flir FX wireless HD monitoring camera for instance was found to communicate in plaintext and did not use any authentication tokens. Additionally, firmware updates were not digitally signed. An attacker could update the devices with custom-crafted firmware and take full control of the cameras. The Foscam IP surveillance camera similarly transmitted user data in plaintext over http, including passwords. The passwords were even included in the URL.

The vulnerabilities were not present in isolated devices, but appeared to be much more of a general problem with a multitude of security cameras and other IoT devices found to have serious vulnerabilities.

Security researchers at SEC Consult recently discovered two backdoors in more than 80 models of professional surveillance cameras manufactured by Sony. The devices had hard-coded credentials in a web interface that would enable hackers to remotely enable the Telnet service on the devices. A hard-coded password was also used for the root account that would enable hackers to take full control of the devices via Telnet.

The backdoors were believed to have been installed by Sony for development purposes rather than being introduced by other parties, although flaws such as these could all too easily be exploited. After being notified of the flaws, Sony released a firmware upgrade for the devices last week.

According to SEC Consult, “An attacker can use cameras to take a foothold in a network and launch further attacks, disrupt camera functionality, send manipulated images/video, add cameras into a Mirai-like botnet, or to just simply spy on you.”

Zscaler has warned organizations to take steps to restrict access to IoT devices and, as far as is possible, improve security controls to prevent the devices from attack. Zscaler recommends blocking external ports and updating default credentials with strong passwords. The devices should also only be connected to isolated networks. If compromised, the damage can therefore be limited.

This week, the Department of Health and Human Services’ Office for Civil Rights (OCR) issued a warning to healthcare organizations about the risks that can be introduced from IoT devices. OCR recommends following US-CERT advice to secure the devices.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.