Case Studies

Connected device security advice

by Mark Rowe

Smart cameras (the security cameras and baby monitors used to monitor activity in and around your house) usually connect to the internet using your home Wi-Fi. This means you can watch a live camera feed, receive alerts when you’re out and about, and sometimes record footage. However, as with any ‘smart’ device that can connect to the internet, you should take a few steps to protect yourself, says the UK official National Cyber Security Centre (NCSC).

The problem arises because some cameras are shipped with the default password set by the manufacturer, which is often well-known or guessable (such as admin or 00000). Cyber criminals can use these well-known passwords (or other techniques) to access the camera remotely, and view live video or images.

Hence if your camera comes with a default password, change it to a secure one – connecting three random words which you’ll remember is a good way to do this. Regularly update security software; and if you do not use the feature that lets you remotely access the camera from the internet, it’s recommended that you disable it.

For the guidance in full visit https://www.ncsc.gov.uk/guidance/smart-security-cameras-using-them-safely-in-your-home.

Dr Ian Levy, NCSC Technical Director, said: “Smart technology such as cameras and baby monitors are fantastic innovations with real benefits for people, but without the right security measures in place they can be vulnerable to cyber attackers. We want people to continue using these devices safely, which is why we have produced new guidance setting out steps for people to take such as changing passwords. These are practical measures which we can all take to help us get the most out of our home-based technology in a safe way.”

Comment

Tim Callan, Senior Fellow at Sectigo, an automated PKI management product company, said: “Connected device security stands to benefit from well-considered legislation and guidance, like these set out by the NCSC. But, while this advice is a good start, we must not fall into the trap of believing that passwords are sufficient to address identified gaps in IoT security.

“Unfortunately, despite the NCSC recommendations for unique, secure passwords, the password paradigm is fundamentally vulnerable to well-established techniques including phishing, social engineering, and credential stuffing. To get around these problems, manufacturers should consider Public Key Infrastructure (PKI) solutions, which can provide a more trustworthy identity for devices. PKI provides unique cryptography-based access for each device with no potential for social engineering or other password attacks. The mechanisms, processes, and widespread platform support we have for PKI are easy to expand to the needs of connected devices.”

Caroline Normand, Director of Advocacy at the consumer campaign body Which?, said: “Which? has repeatedly exposed serious security flaws with devices including wireless cameras and children’s toys, so mandatory security requirements and strong enforcement that ensures manufacturers, retailers and online marketplaces are held accountable for selling unsecure products is essential. Until new laws are in place, it is vital that consumers research smart device purchases carefully, and follow guidance to ensure their devices are protected by strong passwords and receiving regular security updates to reduce the risk of hackers exploiting vulnerabilities.”

On passwords, Barry McMahon, Senior Manager, Identity and Access Management at remote IT access product firm LogMeIn said: “It may seem obvious, but based on the passwords that the NCSC recently revealed as being hacked most, the most secure passwords are long and randomly generated. However, these can be difficult to create and remember, resulting in password reuse across devices and online accounts. Poor password hygiene, whether it’s failing to change default passwords or using weak or repeated credentials make users easy targets for hackers. Using a password manager kills two birds with one stone as they can be used to both generate and store unique passwords for every login. The username and password are then stored within a secure vault, where they’re organised and encrypted for safekeeping and ease of access.”

Related News

  • Case Studies

    Museum goes IP

    by Mark Rowe

    In the Spanish capital, El Museo Thyssen-Bornemisza in Madrid features some of world’s finest pieces of art. The museum is switching from…

Newsletter

Subscribe to our weekly newsletter to stay on top of security news and events.

© 2024 Professional Security Magazine. All rights reserved.

Website by MSEC Marketing