By
exploiting
webcams
and
other
IoT
devices,
hackers
can
spy
on
private
and
professional
conversations,
potentially
giving
them
access
to
sensitive
information,
says
BitSight.
Peter/Adobe
Stock
Imagine
a
cybercriminal
hacking
into
an
internet-facing
webcam
set
up
in
your
organization
and
spying
on
a
meeting,
a
manufacturing
process
or
an
internal
training
session.
Then
imagine
what
that
person
could
do
with
the
information
they
obtained.
That’s
exactly
the
scenario
laid
out
by
cyber
risk
company
BitSight.
For
a
new
report
about
insecure
IoT
devices,
BitSight
discovered
that
one
in
12
organizations
with
internet-facing
webcams
or
similar
devices
failed
to
properly
secure
them,
leaving
them
vulnerable
to
video
or
audio
compromise.
Specifically,
3%
of
organizations
tracked
by
BitSight
had
at
least
one
internet-facing
video
or
audio
device.
Among
those,
9%
had
at
least
one
device
with
exposed
video
or
audio
feeds,
giving
someone
the
ability
to
directly
view
those
feeds
or
eavesdrop
on
conversations.
Jump
to:
Which
organizations
are
most
at
risk
to
this
hacking?
The
organizations
analyzed
included
ones
in
the
hospitality,
education,
technology
and
government
sectors.
Out
of
these,
the
education
area
was
at
the
greatest
risk,
with
one
in
four
using
internet-facing
webcams
and
similar
devices
susceptible
to
video
or
audio
compromise.
Further,
Fortune
1000
companies
suffered
the
greatest
exposure,
including
a
Fortune
50
technology
subsidiary,
a
Fortune
100
entertainment
company,
a
Fortune
50
telecommunications
company,
a
Fortune
1000
hospitality
company
and
a
Fortune
50
manufacturing
company.
Which
devices
were
analyzed
in
this
cyber
risk
survey?
Most
of
the
devices
analyzed
by
BitSight
use
the
Real-Time
Streaming
Protocol
to
communicate
over
the
internet,
though
some
use
HTTP
and
HTTPS
protocols.
With
RTSP,
users
can
send
video
and
audio
content
and
run
commands
to
record,
play
and
pause
the
feed.
Though
many
of
the
devices
examined
for
the
report
were
webcams,
the
analysis
also
included
network
video
recorders,
smart
doorbells
and
smart
vacuums.
Some
devices
were
actually
set
up
for
security
purposes.
Why
the
devices
are
at
risk
of
being
hacked
The
internet-facing
devices
analyzed
were
not
behind
a
firewall
or
VPN,
leaving
them
open
to
fingerprinting
and
threats.
Certain
exposed
devices
were
improperly
configured,
with
some
lacking
any
type
of
password
set
by
the
user.
Other
devices
were
stuck
with
a
security
flaw,
with
many
hit
by
a
specific
access
control
vulnerability
called
an
insecure
direct
object
references
vulnerability.
IDOR
vulnerabilities
have
become
more
worrisome
as
of
late,
according
to
BitSight.
In
2022,
BitSight
discovered
several
critical
such
vulnerabilities
in
a
popular
vehicle
GPS
tracker.
Labeled
as
CVE-2022-34150,
this
flaw
could
allow
a
hacker
to
grab
information
from
any
device
ID
regardless
of
the
user
account
signed
into
the
device.
At
the
very
least,
the
video
or
audio
feed
should
be
protected
by
access
control
measures;
however,
many
of
them
were
not
secured
in
this
way,
allowing
attackers
to
view
video
feeds
and
spy
on
conversations.
A
savvy
hacker
could
even
alter
the
exposed
feeds
to
spread
false
information,
BitSight
explained.
What
are
possible
security
impacts
of
such
hacks?
Vulnerable
webcams
and
other
IoT
devices
open
the
door
for
several
types
of
threats.
An
attacker
could
view
private
meetings
and
other
conversations,
enabling
them
to
gather
personal
data
or
compromising
information
through
a
video
or
audio
feed.
The
actual
locations
of
employees
and
other
people
could
be
exposed.
A
hacker
could
also
access
business-related
activities
and
conversations,
allowing
them
to
pick
up
sensitive
information
not
only
of
the
company
but
of
any
third
parties.
The
exposed
information
could
threaten
physical
security.
Some
of
the
webcams
analyzed
by
BitSight
control
secure
doors
and
rooms,
potentially
giving
criminals
the
information
needed
to
thwart
the
security.
Further,
an
organization’s
overall
cybersecurity
could
be
at
risk.
Access
to
vulnerable
audio
and
video
devices
gives
attackers
more
data
to
compromise
your
internal
systems
and
networks.
Some
of
the
areas
with
vulnerable
webcams
included
manufacturing
facilities,
laboratories,
meeting
rooms,
school
buildings
and
hotel
lobbies.
How
to
reduce
the
risk
from
exposed
webcams
and
IoT
devices
To
help
your
organization
lessen
the
risk
from
internet-facing
webcams
and
other
IoT
devices,
BitSight
offers
a
few
tips.
First,
identify
any
video
or
audio
devices
deployed
across
your
organization
and
your
business
partners.
Then
analyze
the
security
of
these
devices.
Put
any
vulnerable
devices
behind
a
firewall
or
VPN.
Set
up
access
control
measures
to
protect
any
devices
that
lack
the
proper
authentication.
For
devices
that
suffer
from
a
software
vulnerability,
the
developer
needs
to
step
in
to
provide
a
patch
or
otherwise
secure
the
device.
If
the
vendor
can’t
or
won’t
do
this,
your
only
option
may
be
to
switch
to
a
different
device
or
brand.
“This
research
shows
that
even
everyday
technologies,
such
as
webcams,
can
leave
organizations
highly
vulnerable
if
exposed,”
BitSight
Chief
Risk
Officer
Derek
Vadala
said
in
a
press
release.
“Understanding
how
these
devices
can
increase
an
organization’s
attack
surface
and
taking
the
steps
to
deploy
them
in
a
manner
that
limits
potential
threats
is
critical.”
Read
next:
Top
industrial
IoT
security
solutions
(TechRepublic)
About Author
