Siemens-branded IP-based CCTV cameras are the
latest internet-connected devices to be found vulnerable to hacking attacks.
In this particular instance, according to a security advisory issued
by Siemens, the vulnerability – known as CVE-2016-9155 – could be remotely
exploited by malicious attackers to trick CCTV cameras into revealing admin
passwords:
The latest update for SIEMENS-branded IP-based CCTV
cameras fixes a vulnerability that could allow a remote attacker to obtain
administrative credentials from the integrated web server.
Until patches can be applied, restricting access to
the integrated web server with appropriate mechanisms is recommended
The following CCTV camera models, built by
Vanderbilt Industries who acquired Siemens’ security product line in June last
year, are said to be at risk:
·
CCMW3025: All
versions prior to 1.41_SP18_S1
·
CVMW3025-IR:
All versions prior to 1.41_SP18_S1
·
CFMW3025: All
versions prior to 1.41_SP18_S1
·
CCPW3025: All
versions prior to 0.1.73_S1
·
CCPW5025: All
versions prior to 0.1.73_S1
·
CCMD3025-DN18:
All versions prior to v1.394_S1
·
CCID1445-DN18:
All versions prior to v2635
·
CCID1445-DN28:
All versions prior to v2635
·
CCID1445-DN36:
All versions prior to v2635
·
CFIS1425: All
versions prior to v2635
·
CCIS1425: All
versions prior to v2635
·
CFMS2025: All
versions prior to v2635
·
CCMS2025: All
versions prior to v2635
·
CVMS2025-IR:
All versions prior to v2635
·
CFMW1025: All
versions prior to v2635
·
CCMW1025: All
versions prior to v2635
The good news is that Vanderbilt has released
updates for the vulnerable devices. The further good news is that, to date,
there is no evidence that any malicious hackers have exploited the
vulnerability.
There is bad news, however.
Firstly, it sounds as if the attack is relatively
trivial for an attacker to pull off by sending a carefully-formed but simple
HTTP request.
Additionally, it’s easy to predict that many of the
vulnerable devices may not have patches applied to them in a prompt fashion (if
at all) – a common problem with the Internet of Things.
Just making a patch available does not mean that
the problem has gone away.
And that’s a problem. In the case of the
Siemens-branded CCTV cameras they’re in use around the world at commercial
facilities, in the healthcare industry and at government facilities. Not the
kind of organizations that one imagines can afford to have their admin
credentials leaked to cybercriminals.
This is, of course, far from the first time that
flaws have been found in CCTV cameras that could be exploited by attackers.
For instance, last month there was a massive DDoS
attack against domain name service Dyn, which in turn disrupted access to
well-known sites such as Twitter, Pinterest, Reddit, and the Playstation
network.
The DDoS attack was perpetrated by the Mirai
botnet, powered by hijacked IoT devices, including hacked webcams.
As the Internet of (often insecure) Things expands,
it poses a bigger threat to businesses and home users alike. ESET warned earlier this year that IoT would
make more regular appearances in security headlines:
“For the future, the challenge for security in IoT
is not restricted to the household. Technology keeps improving and time
and time again we see how governments, industries and markets in general are turning towards interconnectivity for all equipment, systems, and services. From market research to traffic systems, all things are being interconnected through existing technologies but, in certain cases, without the proper implementation of security protocols.”
and time again we see how governments, industries and markets in general are turning towards interconnectivity for all equipment, systems, and services. From market research to traffic systems, all things are being interconnected through existing technologies but, in certain cases, without the proper implementation of security protocols.”
It feels to me that when it comes to IoT security
things are going to get worse before they have any hope of getting better.
And it’s also clear that news of the CCTV camera
vulnerability has only added to a bad month for the Siemens brand in terms of
security.
Earlier this month, the Department of Homeland
Security’s ICS-CERT issued an alert that industrial control products
developed by Siemens suffered from a local privilege escalation vulnerability
that could leave SCADA equipment open to attack.