‘I'm hacked’ message left on dozens of defaced Canon IoT security cameras in Japan

If you don't at least change the default passwords for IoT devices, don't be surprised when it gets hacked.

IoT security cameras hacked
Thinkstock

“I’m Hacked. bye2”— That’s the message left behind on most of the hacked Canon security cameras in Japan. Over 60 cameras were hijacked and defaced on Sunday, May 6, but dozens more had been hacked over the last several weeks.

Some victims reportedly are locked out of their cameras; they can’t control them and they can’t correct the defacement. That’s because they didn’t bother to change the default password, but the attacker did. As of right now, only Canon security cameras in Japan have been targeted.

Some of the victims are Japanese local governments, such as the cities of Yachiyo and Ageo, which lost control of the Canon security cameras monitoring the levels of their waterways.

The Japan Times reported that after Yachiyo officials discovered the hacked cameras on April 24, and determined the attacker had changed the default password, they removed the cameras from their network and contacted the police.

An official for the city of Ageo said it noticed its cameras were hacked on April 26. “We had not predicted this kind of situation,” the official said, even after admitting the default password was not changed.

Change the default password or plan to be hacked

Well, you should expect it if you don’t change the default password at the very least. It may be happening to Canon cameras in Japan right now, but there are thousands of Canon security cameras being used in the U.S. and other countries. There are good odds that eventually either this hacker or a copycat will hit them. Default password lists are one of first things built into botnets, which scan for vulnerable devices.

Toward the end of April, Canon issued a statement strongly advising customers to change the default password. The company also released a document (pdf) with recommended countermeasures to prevent unauthorized access of networked cameras. Besides changing the passwords, Canon’s suggestions included using a private IP for the camera, putting the device behind a firewall, and using SSL. For whatever reasons, Canon later removed the documentation; the link currently goes to a error message about the specified URL not found on the server.

While some articles list specific victims with uncontrollable cameras — ranging from a fish market, to a solar power facility, to a care facility for people with disabilities, and emphasize that there have been more than 60 victims — it doesn’t seem to scratch the surface of just how many Canon security cameras have been hijacked.

When looking into unsecured Canon IoT cameras in Japan, I saw dozens of hacked cameras. Some were overlooking outdoor spaces, but others were watching over workers. “I’m Hacked. bye2” is still defacing the camera of a busy office. And while that is the most common message, that’s not the only defacement that turned up during my search; “m (_ _) m sorry..” is a different message left on some hacked Canon cameras.

It doesn’t matter where you are located in the world if you connect a ‘smart’ device to the internet, as good security advice doesn’t waver. Don’t think the manufacturer has built-in plug-and-play security; that’s on you. Most of the articles about the Canon IoT camera defacements mention an IT expert who goes by “piyokango” and warns about the crappy, insecure, and vulnerable Internet of Things before urging users to change default passwords.

SUBSCRIBE! Get the best of CSO delivered to your email inbox.