The explosion of DIY doorbells and indoor IP cameras continues unabated, with consumers purchasing millions of these Wi-Fi devices and installing them in their homes. Upwards of 75 billion IoT-connected devices will be in use by 2025. As can be expected from a trusting public, there have been many instances of these devices being hacked or accessed. Recent stories detail cameras broadcasting racial insults, talking to children and other obvious invasions of privacy.
A growing problem is the sale of “counterfeit” home IP devices over the internet. These products are often exact duplications of “major” manufacturer devices, offered at a substantial discount to the “name” brands. Cheaper is always better, right?
The baked-in security problems for these low-cost IP devices are well documented. Plenty of IoT video cameras have been hacked over the past few years. After a device has been compromised, they are often used to perform denial of service attacks against other internet servers and devices. Because they are connected to the internet to transmit their video images to cloud storage and many of these cameras have no limit on the number of sign-on attempts, “brute force” attacks where the device is bombarded with common passwords until one works is a typical hacking method. While the vendors inform users to create “strong” passwords and use two-factor authentication, people will generally take the easy way until they find that they have installed an intruder in their living room. Unless a user is very network-savvy and constantly monitors the internet traffic from their network, users simply won’t know they’ve been compromised.
There are many factors that contribute to the relative ease of hacking DIY cameras and devices. First, the “off-brand” devices are sometimes manufactured using the same firmware and basic software used in similar devices. So, when vulnerabilities are found in a “discount” DIY IP device, the same problem may well exist in other brands of similar devices.
IP cameras that store their video images onto SD cards inserted into the device are of particular concern. If the camera is hacked, the villain can readily access stored video and glean whatever information they can about the habits of the inhabitants.
These security problems have initiated federal lawsuits against major manufacturers and vendors, citing negligence, invasion of privacy, breach of implied contract, breach of implied warranty and unjust enrichment. As the suppliers of these devices, companies are ripe targets for individual and class action lawsuits.
Shifting the storage of recorded video to cloud services is generally a more secure option for our customers, as a hacker must now battle with major vendors who take their internet security seriously. This doesn’t mean that bad things can’t happen; this past December, an Amazon Web Services (AWS) U.S.-based server suffered a power outage that knocked a number of services off the internet. A comforting thought: the service that is heavily used by our local, state and national government, law enforcement and military doesn’t have backup power at all critical locations? Just sayin’…
If you are currently using a cloud service for your business data and/or client video you might want to look into DownDetector.com, a service provided by Ookla that tracks outages of cellular and internet services. If you are having problems, you can quickly check to see if it’s internet-wide or just your system that’s having issues.
The takeaway for low voltage contractors is to install quality IP cameras and devices, programming all available security options, and informing clients of their need to protect their passwords from being hacked. Smart companies will review their “standard” contract that is used with their customers to ensure that the installing company has minimal exposure to legal action or financial losses if and when an IP device or system is hacked.