Home surveillance/security cameras have been available for quite some time, and can be used to keep track of one’s home, children, pets, or business. These devices are, in some ways, the first exposure of people to the Internet of Things.
For most people, home surveillance means setting up a camera and using the Internet to access the camera feed in real-time. Higher end camera models can even be controlled remotely, making them useful for monitoring a large area with a single camera. This is a marked difference from previous iterations of home surveillance, which had restrictions or limitations in terms of accessibility.
Online and Open Accessibility
The older generation of security cameras required the configuration of the home router such as port forwarding, so that you can view the video feed remotely. While convenient, this set-up means that the camera is also accessible to pretty much anyone with an Internet connection.
Figure 1. Search results from Shodan
There are even sites that offer streaming videos of publicly accessible cameras. A now-inaccessible Russian site took advantage of default usernames and passwords to access and upload camera feeds online. According to an article by CNN, the site featured streams from 4, 600 cameras in the U.S. and thousands more in 100 countries. A quick online search revealed the existence of other, similar sites. There are even mobile apps that provide real-time streaming from cameras across the world.
Figure 2. Camera feeds all over the world
Perhaps in a direct response of this issue, the newer generation of security cameras usually provides some form of cloud management and/or viewing functions. Once configured, the camera communicates to the vendor cloud servers, allowing users to view the feed by logging into a web portal or by using mobile apps published by the vendor.
In this set-up, the camera communicates to the vendor cloud servers only. Connections initiated from the Internet cannot reach the camera, as the home router blocks them. The camera is more secure from activities like unauthorized remote viewing.
Vendor and User Security
Accessibility issues aside, another important issue for these cameras is data protection. Vendors should provide strong encryption for all data/video feed from device to cloud servers to protect user privacy. However, we found that some popular camera brands are still lacking in their security implementation.
For example, the screenshot below is the packet capture between a D-Link DCS-932L camera communicating with the D-Link cloud server. Certain traffic from the camera to the cloud servers is encrypted, but not all. There is still clear text communication over the Internet. Such an issue can only be addressed by the vendor, not the users.