REVIEW: Home security cameras fall short on security

In tests of 7 IP-based cameras, only Canary passed muster.

security cameras secure
Thinkstock

How secure are IP-based “security cameras”?

Based on our review of seven home security cameras, the answer is: Not very. While these devices may get high marks for features and ease of use, security is another story.

Our tests turned up results like these:

  • One camera allows plaintext logins as the root user, with no password. That’s horrifying in this day and age.
  • The same camera uses an outdated version of SSL that allows data leakage. A firmware update fixes both issues, but the upgrade is optional and many users skip it.
  • Another camera leaks its private API structure in plaintext even though it uses TLS to encrypt traffic. This potentially allows attackers to change video streams and possibly other device parameters.
  • Yet another camera can run a hacked firmware image that disables some services and enables others.
  • Two more cameras present SSL certificates that not only claim to be a different host, but also come from a certificate authority with a record of issuing bogus credentials.

It’s not all bad news. One camera, the CAN100USWT from Canary Connect, stood head and shoulders over the field in baking security into its product design. The Canary camera runs no services onboard, removing a whole class of attacks in which intruders try connecting to the device. And users cannot disable its automatic firmware upgrades, something we’d like to see in every device.

We didn’t find any vulnerabilities in the Canary camera, but of course that doesn’t mean it’s immune to attack. What it does show, both in the Canary camera and its smartphone app, is a more rigorous designed-in approach to security than we saw in any of the other cameras.

+ ALSO ON NETWORK WORLD Top U.S. states and cities with unsecured security cameras +

Let’s state up front that, with two exceptions, we’re not naming names in this article. That’s more out of expediency than anything else. The two exceptions are Canary and XiongMai, the Chinese company whose cameras were exploited in a large-scale DNS DDoS attack during our tests. We’re naming XiongMai only to note its cameras weren’t part of this test.

For this review, we didn’t attack cloud services or local networks; both may have their own vulnerabilities, but those were beyond the scope of our tests. Instead, we took a narrower and stealthier approach, mostly involving listening and probing to the cameras themselves. First, using the venerable tcpdump packet capture tool running on the local router, we monitored traffic to and from each camera to check for inbound and outbound connections. The outbound traffic, triggered by the smartphone app, turned out to be quite revealing in one case, as we’ll discuss later in detail.

We also used several scanning tools to probe the cameras to determine which services ran on each camera. We used nmap, the well-known security scanner, to act as a client trying to connect to every port on each camera.

We probed TCP connections in “stealth mode,” meaning nmap sent a TCP SYN packet and checked only for a TCP SYN/ACK response rather than completing an entire application-layer handshake. The “stealth” part here is that the target device is far less likely to detect probing, since TCP connection attempts typically aren’t logged.

We also probed all cameras for services running on UDP ports, but these didn’t turn up anything. This isn’t all that surprising, since relatively few well-known services run over UDP.

Related:
1 2 Page 1
Page 1 of 2
7 hot cybersecurity trends (and 2 going cold)