The flaw, identified in a network connection protocol, could allow hackers to remotely take control of IP cameras
A new flaw, discovered in some of the most widely used surveillance cameras, risks compromising the privacy of millions of users. Senrio, a company specializing in information security, has found the vulnerability in devices manufactured by Axis Communication.
The hole, found in the library of open-source software used by the devices, could potentially allow hackers to remotely take control of security cameras without needing to know login credentials. And not just Axis Communication's. The library, in fact, is also used in video surveillance systems developed by other companies and in many other devices. The vulnerability, named "Devil's Ivy" by Senrio experts, would allow cybercriminals to penetrate the gSOAP toolkit, a protocol that cameras use to connect to the network.
What users risk
There are many risks for users who own one of the accused cameras. Hackers, in fact, having access to security devices, could view everything that is recorded in homes and buildings where they are installed. In addition, once the hackers were able to breach the gSOAP library, they could also block access to the cameras to the users themselves. At the moment, according to Axis Communication, there are about 250 affected devices, and to fix the flaw, the company has released an update patch.
As anticipated, although the number of IoT objects using the Genivia-developed protocol remains unspecified for now, the vulnerability could affect many companies, including those that are part of the ONVIF consortium, a network of companies whose goal is to produce standardized interfaces for security systems, which also includes Axis Communication.
IP cameras are very fragile
This is not the first time IP cameras have come under fire. Like any IoT device, their problem is that they are able to connect over a network. And, therefore, they are hackable by hackers.
In addition, most of the always-connected objects of the Internet of Things are not yet equipped with a reliable protection system. Finally, only a few users pay attention to the security of these devices. Few devices are, in fact, updated or protected by a password. With all that that entails.