Survey Sounds More Alarms on Internet of Things in the Enterprise

Traffic observed from an IP surveillance camera shows communication with servers operated by the manufacturer. Often, such communications were found to be insecure. (Image courtesy of zScaler.)
Traffic observed from an IP surveillance camera shows communication with servers operated by the manufacturer. Often, such communications were found to be insecure. (Image courtesy of zScaler.)

In-brief: A survey of customer networks by the firm zScaler found that cameras, printers, video recorders and other devices are common – and often easy to snoop on and attack. 

Enterprise networks are rife with devices including IP enabled cameras, multi-function network printers and digital video recorders – even television sets – that lack adequate security and that could become a part of “thing” botnets like the recent Mirai, a study by the firm zScaler has concluded.

The survey by zScaler’s ThreatLabZ team covered traffic to and from customer web sites covered a two month period, from late August to late October, 2016 and found that connected devices like cameras were a fixture and were often insecure or under secured, the company said in  statement.

The research was conducted to determine if zScaler customers operated devices that had been enrolled in the Mirai botnet, a large and malicious network of cameras, DVRs and other devices that launched large denial of service (DoS) attacks against media web sites and a managed Domain Name System (DNS) provider, Dyn, in September and October.

While zScaler didn’t find any Mirai infected systems, it did find lots of insecure devices that easily could have been compromised. Many devices still rely on plain text HTTP protocols for authentication, firmware updates and other communications, zScaler discovered. That makes them vulnerable to “sniffing” and so-called “Man in the Middle” attacks that can grab data transmitted wirelessly and in the clear.

IP Cameras like this were common on enterprise networks, and often vulnerable to snooping or other attacks. (Image courtesy of zScaler.)
IP Cameras like this were common on enterprise networks, and often vulnerable to snooping or other attacks. (Image courtesy of zScaler.)

Wireless surveillance cameras from the firm FLIR communicated using plain-text HTTP with servers operated by the manufacturer to obtain firmware (software) updates. No authentication tokens were used in the exchanges, making the update process easy to snoop on and abuse.

Similarly, IP surveillance cameras by the firm Foscam were detected on some zScaler customer networks. Those devices were found to leak user credentials via HTTP in the URI (uniform resource identifier). That means anyone observing the traffic to and from the camera could capture the user (or administrator’s) credentials.

Of five surveillance camera types identified by zScaler on customer networks, only one did not appear to be communicating using insecure or insufficiently secured communications, according to the zScaler report.

Network video recorders, or NVRs, are used to capture and store surveillance camera video feeds and are also vulnerable to attack, zScaler found. The VideoEdge NVR, which is used to manage surveillance cameras in enterprise environments, was found to have weak administrator credentials by default and to communicate over HTTP, making the devices susceptible to snooping and Man in the Middle attacks.

Networked and Internet connected printers are also a concern, zScaler said. The company’s survey of customer networks found that Fuji Xerox printers were connecting to “maintenance logging modules” without first authenticating to them. That makes them susceptible to attack and compromise.

So too IP-based phones. A Panasonic brand IP phone for enterprise was observed downloading a root certificate and doing authentication to management servers via plain text HTML, zScaler found.

In short: insecure devices like cameras, phones, video recorders and televisions are already a security issue within enterprises, zScaler concluded. Worse: companies with such devices deployed may not be aware of them or the risk they pose. Even infected devices are unlikely to notice the infection, unless they are scrutinizing the traffic of the infected device, or unless they have many infected devices participating in an attack in such a way that slows the network.

Beyond that, Internet of Things devices like cameras and NVRs may support multiple management protocols like SSH, Telnet and HTTP from the same network interface. Changing the administrator credentials on the web administrative panel (HTTP or HTTPS) doesn’t necessarily make the device more secure from attacks that attempt to reach the device over other supported protocols from external networks.

Analysis by the firm Flashpoint in October found that large-scale denial of service attacks against the managed DNS provider DYN were carried out, in part, by cameras, digital video recorders and other “Internet of Things” endpoints infected with the Mirai malware.

That malware took advantage of poorly designed and poorly configured cameras from a Chinese vendor, Xiongmai Technologies, among other targets.

Comments are closed.