Anyway, the FBI can take over

It is the nightmare for anyone who brings a surveillance camera into their home: criminal hackers exploit vulnerabilities and turn the device into a powerful spying tool that tracks every step the owner takes. The end of 2016 showed that security gaps are not the exception, but the rule SZResearch into the so-called Internet of Things: From routers to toasters to webcams, many of the supposedly smart and networked devices are vulnerable because manufacturers consider profit to be more important than IT security. A current study by the IT consulting firm SEC-Consult shows how alarming the problem still is.

IT security researcher Stefan Viehböck has discovered serious security gaps in surveillance cameras from a Chinese manufacturer. The vulnerabilities affect several million users around the world, including Germany. Criminals can hook into video surveillance and watch the owners. Access to other devices in the local network is also possible.

What did SEC-Consult find out?

In short, Hangzhou Xiongmai Technology's products are a medium-sized safety disaster. "Xiong ... who ?!" asks Viehböck in his research paper. In fact, hardly anyone should know the name. The Chinese company is one of the largest producers of video surveillance technology. The devices are sold under different brand names. Xiongmai supplies more than 100 manufacturers, including Autoeye, A-Zone, Digoo, Nextrend and Techage.

Owners of Xiongmai devices can remotely access their surveillance cameras or network video recorders via a cloud interface. This makes it possible, for example, to check the camera's recordings with a smartphone while on vacation. Unfortunately, the rightful owners aren't the only ones who have this option. Third parties can access all transmitted data.

How high are the hurdles for attackers?

Ridiculously low. The unique identification number of the devices can be guessed with little effort. You need valid login information, but these are not an obstacle: The default password of the administrator account (user name "admin") is empty. Users will not be asked to change this password during setup. Accordingly, a large part of the devices is likely to be an open barn door for attackers. Even changing the password only helps to a limited extent: In addition, attackers can also log in using another standard account (username "default", password "tluafed", ie the name backwards) and access video transmissions.

How dangerous is the vulnerability?

The loophole opens up several possibilities for hackers. Viehböck names three scenarios: "The Spanner" can spy on users and even communicate directly with the victims if the device has a two-way intercom. "The targeted attacker" can gain access to the local network and take over other systems from there. "The botnet collector" can interconnect millions of Xiongmai devices to form so-called botnets and control them remotely. This enables massive DDoS attacks in which many devices access a specific Internet address at the same time. Entire server farms can be overloaded and large parts of the network can be paralyzed.

Depending on what attackers are up to, the gap threatens the privacy of normal users, the security of company networks or the entire network infrastructure. Johannes Greil, head of SEC-Consult's security laboratory, says that his company has no information as to whether the identified vulnerabilities have already been exploited. Xiongmai did not close any of the reported loopholes even after a period of seven months. Obviously, IT security is not high on the manufacturer's list of priorities.

How many users are affected?

Last March, SEC-Consult carried out random scans and extrapolated the result. According to this, at least nine million affected devices were online at the time. 1.3 million devices ran on a German server. But that does not mean that they are all in Germany: surveillance cameras in Great Britain are also assigned to this server. Probably the number corresponds more to the devices that are used across Europe.

How do I find out if I am affected?

Unfortunately, most users do not know that they own a Xiongmai device because the name is not mentioned in the manual or on the packaging. More than 100 manufacturers use Xiongmai's technology. It is correspondingly complicated to find out clearly whether a device is affected. SEC-Consult gives several tips in the blog entry about the security gap and explains how users can proceed.

What can users do to protect themselves?

"Our current recommendation is to stop using the devices until the manufacturer has fixed all weak points for all affected devices," says Greil. Users should definitely change the passwords, even if this does not protect against all vulnerabilities. Greil advises potential buyers of surveillance cameras and other networked devices that they resort to manufacturers "who stand out positively in terms of security and have fast update cycles for security updates".

Basically, all devices that are connected to the Internet can be hacked. Additional cloud or peer-to-peer functions that enable remote access are particularly risky. If you get a supposed bargain here, you often pay for it later with your privacy.