Hackers Can Take Over Your Security Cameras—and It’s Easier Than You Think
LAS VEGAS—You install surveillance cameras to protect the security and privacy of your home or business. If someone commits a break-in, you have a video record. But what if you’re not the only one watching those cameras? What if the camera is vulnerable to hacking? You may not be the only one who can tap into the camera’s feed, and at the Black Hat security conference, security researchers revealed exactly how easy it can be.
Noam Moshe, vulnerability researcher with cyber-physical security firm Claroty and member of Claroty’s Team82, did a deep dive into cameras made by Axis Communications, a Swedish company and a major producer of security cameras and related hardware. Axis operates above the consumer level, supplying security for governments, schools, hospitals, and Fortune 500 companies.
Moshe found some serious problems, which he presented to attendees. But don’t run to throw a towel over your cameras. Axis has patched the flaws in its software, so as long as you get the update, you should be fine. As for the next hack (and there will be a next hack), we can only hope it’s found by Moshe and his team, not by hackers with bad intentions.
The Vulnerability: Easy Remote Camera Control
"My day job is to look for vulnerabilities on all sorts of devices, and responsibly disclose them," said Moshe. "It’s my playground." This particular project began when he scanned the internet for unsecured ports and discovered some of them using an unfamiliar service called axis.remoting.
“When I see a service that’s esoteric, that’s my cue,” Moshe explained. He said that Axis is a major security camera vendor for large companies with hundreds of cameras in multiple locations. Remote access is a must, and Axis offers two versions, one that’s extremely secure and expensive, and one that’s less expensive but exposes the axis.remoting service he discovered.
Naturally, the latter is more popular. Moshe explained that the Axis software grants its own device manager complete control over your fleet of cameras, and that can lead to problems (and unintentional access to other people's cameras, too). “Then Axis Camera Station comes into play. From one central location, you can consume all the live feeds,” he explained.
The Hack: Taking Control of Security Cameras
The team focused on hacking these server-side apps, their client apps, and, of course, the cameras. As with many Black Hat presentations, Moshe’s success came from working through endless mistakes and blind alleys. Eventually, he parlayed his access to the point of taking full control of all the security cameras, which are basically tiny Linux computers.
With that degree of control in place, he extended the hack to the servers running Axis Device Manager and Axis Camera Station. “We can now execute code on the client, the server, and all the cameras,” he exulted. Remote execution of arbitrary code, essentially making a device do whatever you want because you can access it completely, is the holy grail of hacking, so this was a huge success.
Who Is Vulnerable to This Attack?
"Who is vulnerable to such an attack?" asked Moshe. He used the device-level search engine Shodan to seek servers that expose the axis.remoting protocol. “I discovered 65,000 servers, 4,000 of them in the US,” he explained.
“But who is sitting behind these servers?” He showed that a simple query revealed the server’s name, from which he could identify the company. "Why do we see so many?" he continued. “This field is less and less open. Many Chinese companies are banned in the US and Europe.” Axis Communications is based in Sweden, so it seems secure.
A Responsible Disclosure Success Story
Moshe mentioned responsible disclosure at the start of the talk. When he disclosed his findings to Axis, the company responded in 10 minutes and got busy patching. “Axis was probably one of the swiftest responses I’ve had,” said Moshe.
"But we need to make sure we are applying those security patches." This is the best possible outcome—researchers find a security flaw and notify the company, and a security patch quickly appears. But Moshe and his team keep seeking new flaws, as do teams of hackers. We can only hope the white hat teams reach the goal first.
A Call to Action for Better Cybersecurity Hygiene
It's even more reason to pay attention to good cybersecurity hygiene, whether you're a big company or an at-home user. Remember, security cameras are just one piece of the puzzle in protecting your home and business from hackers. Stay vigilant and keep up with the latest security updates and patches.