In a press release, the security firm said it uncovered flaws that enable attackers to obtain remote access to video and audio feeds in the cameras. The flaws enable hackers to disable the devices and place malicious code on them, among other things, Kaspersky Lab said.
“The problem with current IoT [Internet of Things] device security is that both customers and vendors mistakenly think that if you place the device inside your network and separate it from the wider internet with the help of a router, you will solve most security problems — or at least significantly decrease the severity of existing issues,” said Vladimir Dashchenko, head of vulnerabilities research group, Kaspersky Lab ICS CERT, in the press release. “In many cases, this is correct: Before exploiting security issues in devices inside … a targeted network, one would need to gain access to the router. However, our research shows that this may not actually be the case at all: given that the cameras we investigated were only able to talk with the external world via a cloud service, which was totally vulnerable.”
According to Kaspersky Lab, while past research raised concerns about security flaws with smart cameras, it said its latest research shows that not just one but a whole range of smart cameras are vulnerable to several “severe remote attacks” because of insecurely designed cloud-backbone systems that were created in the beginning to enable camera owners to access videos from other devices remotely.
By exploiting the flaws, the research firm said hackers can access video and audio feeds from any camera connected to the vulnerable cloud service, remotely gain root access to a camera and use it for further attacks, remotely upload malicious code, steal personal information and remotely “brick” cameras. It noted that during its research, experts found close to 2,000 vulnerable cameras working online. It said there could be more that are behind routers and firewalls.